I have some problem with web service (bin/client.sh request), using a client certificate authentication.
My worker is set with AUTH = CLIENTCERT (it's a TIMESTAMP worker)
I have add authorized client for this worker using a certificate (we call it client.crt)
The certificate client.crt is present in the application server's truststore (I use GlassFish APPSRV)
But when I try to request the worker, It return me an error: "client authentication"
Detail of the request:
bin/client.sh timestamp -instr mystring -outrep response.tsr -url http://localhost:8080/signserver/tsa?workerId=1 -keystore /tmp/client.jks -keystorepwd "my_pass" -keyalias "my_alias"
Detail of the error message:
Exception in thread "main" org.signserver.cli.spi.UnexpectedCommandFailureException: java.io.IOException: Server returned HTTP response code: 400 for URL: http://localhost:8080/signserver/tsa?workerId=1
at org.signserver.client.cli.defaultimpl.TimeStampCommand.execute(TimeStampCommand.java:320)
at org.signserver.cli.CommandLineInterface.execute(CommandLineInterface.java:97)
at org.signserver.client.cli.ClientCLI.main(ClientCLI.java:45)
Caused by: java.io.IOException: Server returned HTTP response code: 400 for URL: http://localhost:8080/signserver/tsa?workerId=1
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1403)
at org.signserver.client.cli.defaultimpl.TimeStampCommand.tsaRequest(TimeStampCommand.java:586)
at org.signserver.client.cli.defaultimpl.TimeStampCommand.run(TimeStampCommand.java:334)
at org.signserver.client.cli.defaultimpl.TimeStampCommand.execute(TimeStampCommand.java:312)
... 2 more
I have send request changing the port number to 4883: bin/client.sh timestamp -instr mystring -outrep response.tsr -url http://localhost:4883/signserver/tsa?workerId=1 -keystore /tmp/client.jks -keystorepwd "my_pass" -keyalias "my_alias"
But another error appear now:
Exception in thread "main" org.signserver.cli.spi.UnexpectedCommandFailureException: java.net.SocketException: Unexpected end of file from server
at org.signserver.client.cli.defaultimpl.TimeStampCommand.execute(TimeStampCommand.java:320)
at org.signserver.cli.CommandLineInterface.execute(CommandLineInterface.java:97)
at org.signserver.client.cli.ClientCLI.main(ClientCLI.java:45)
Caused by: java.net.SocketException: Unexpected end of file from server
at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:770)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:633)
at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:767)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:633)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1162)
at org.signserver.client.cli.defaultimpl.TimeStampCommand.tsaRequest(TimeStampCommand.java:586)
at org.signserver.client.cli.defaultimpl.TimeStampCommand.run(TimeStampCommand.java:334)
at org.signserver.client.cli.defaultimpl.TimeStampCommand.execute(TimeStampCommand.java:312)
... 2 more
But nothings appear in the server.log file.
It seems to me that the problem is again with HttpRequest from Client ?
As an attachment, you can see my signserver_build.property file to build configuration. Maybe the mistake is frome here ?
Now it sounds like you might have configured the HTTP connector in GlassFish to require a client certificate, right?
The "Unexpected end of file from server" in the logs indicates that the server does not like the connection. This could be if the client did not specify a valid certificate issued by a CA in the truststore configured for that HTTP connector.
Maybe the jks is missing the correct CA, the keystore path is not configured correctly or with wrong password? Maybe the logs during the start of the GlassFish domain could give some more information.
Regards,
Markus
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes I have configured HTTP connector with client cert auth. But the problem is maybe come from my certificate, it's not a certificate with extendKeyUsage = clientAuth.
I'll check that and try again next week.
Thanks,
Regards,
Valentin.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have configured GlassFish with "Client Authentication:Enabled" on the "http-listener-1"
The client certificate is add to the GlassFish keystore
The worker (timestamp dispatcher) is configured as: AUTH=CLIENTCERT
I have added authorization for this certificate to the worker config
Client certificate authentication must be over HTTPS. If you are able to send requests like you do to port 8080 then that port is not configured for HTTPS or you are using the wrong port.
Best regards,
Markus
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
I have some problem with web service (bin/client.sh request), using a client certificate authentication.
My worker is set with AUTH = CLIENTCERT (it's a TIMESTAMP worker)
I have add authorized client for this worker using a certificate (we call it client.crt)
The certificate client.crt is present in the application server's truststore (I use GlassFish APPSRV)
But when I try to request the worker, It return me an error: "client authentication"
Detail of the request:
bin/client.sh timestamp -instr mystring -outrep response.tsr -url http://localhost:8080/signserver/tsa?workerId=1 -keystore /tmp/client.jks -keystorepwd "my_pass" -keyalias "my_alias"
Detail of the error message:
Exception in thread "main" org.signserver.cli.spi.UnexpectedCommandFailureException: java.io.IOException: Server returned HTTP response code: 400 for URL: http://localhost:8080/signserver/tsa?workerId=1
at org.signserver.client.cli.defaultimpl.TimeStampCommand.execute(TimeStampCommand.java:320)
at org.signserver.cli.CommandLineInterface.execute(CommandLineInterface.java:97)
at org.signserver.client.cli.ClientCLI.main(ClientCLI.java:45)
Caused by: java.io.IOException: Server returned HTTP response code: 400 for URL: http://localhost:8080/signserver/tsa?workerId=1
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1403)
at org.signserver.client.cli.defaultimpl.TimeStampCommand.tsaRequest(TimeStampCommand.java:586)
at org.signserver.client.cli.defaultimpl.TimeStampCommand.run(TimeStampCommand.java:334)
at org.signserver.client.cli.defaultimpl.TimeStampCommand.execute(TimeStampCommand.java:312)
... 2 more
Detail of the server.log:
[#|2013-07-31T12:12:19.463+0200|INFO|sun-appserver2.1|javax.enterprise.system.stream.out|_ThreadID=16;_ThreadName=httpSSLWorkerThread-8080-0;|INFO [IWorkerLogger] AUDIT; DefaultTimeStampLogger; LOG_ID: db8d7ba8-f6f9-4f66-bf93-bea140d0f8d3; CLIENT_IP: 127.0.0.1; REQUEST_FULLURL: http://localhost:8080/signserver/tsa?workerId=1; RequestTime: 1375265539461; ResponseTime: 1; TimeStamp: ${TSA_TIME}; PKIStatus: ${TSA_PKISTATUS}; PKIFailureInfo: ${TSA_PKIFAILUREINFO}; SerialNumber: ${TSA_SERIALNUMBER}; TSA_POLICYID: ${TSA_POLICYID}; SIGNER_CERT_SERIALNUMBER: ${SIGNER_CERT_SERIALNUMBER}; SIGNER_CERT_ISSUERDN: ${SIGNER_CERT_ISSUERDN}; TIMESTAMPREQUEST_ENCODED: ${TSA_TIMESTAMPREQUEST_ENCODED}; TSA_TIMESTAMPRESPONSE_ENCODED: ${TSA_TIMESTAMPRESPONSE_ENCODED}; ARCHIVE_IDS: ${ARCHIVE_IDS}; PURCHASED: ${PURCHASED}; TSA_EXCEPTION: ${TSA_EXCEPTION}; EXCEPTION: Error, client authentication is required.
However when I configure the worker with AUTH = NOAUTH, the request is successful.
Can somebody help me !?
Regard,
Valentin.
I have send request changing the port number to 4883: bin/client.sh timestamp -instr mystring -outrep response.tsr -url http://localhost:4883/signserver/tsa?workerId=1 -keystore /tmp/client.jks -keystorepwd "my_pass" -keyalias "my_alias"
But another error appear now:
Exception in thread "main" org.signserver.cli.spi.UnexpectedCommandFailureException: java.net.SocketException: Unexpected end of file from server
Caused by: java.net.SocketException: Unexpected end of file from server
at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:770)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:633)
at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:767)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:633)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1162)
But nothings appear in the server.log file.
It seems to me that the problem is again with HttpRequest from Client ?
As an attachment, you can see my signserver_build.property file to build configuration. Maybe the mistake is frome here ?
Regards,
Valentin.
Now it sounds like you might have configured the HTTP connector in GlassFish to require a client certificate, right?
The "Unexpected end of file from server" in the logs indicates that the server does not like the connection. This could be if the client did not specify a valid certificate issued by a CA in the truststore configured for that HTTP connector.
Maybe the jks is missing the correct CA, the keystore path is not configured correctly or with wrong password? Maybe the logs during the start of the GlassFish domain could give some more information.
Regards,
Markus
Have you configured the HTTP connector in GlassFish to require client certificate authentication? If not, you could get that error.
Regards,
Markus
Yes I have configured HTTP connector with client cert auth. But the problem is maybe come from my certificate, it's not a certificate with extendKeyUsage = clientAuth.
I'll check that and try again next week.
Thanks,
Regards,
Valentin.
Hi Markus,
My problem persists...
But the same error appears on the server's log:
PS: I send client request using:
and using
Regards,
Valentin.
Client certificate authentication must be over HTTPS. If you are able to send requests like you do to port 8080 then that port is not configured for HTTPS or you are using the wrong port.
Best regards,
Markus