B4J Question [solved]Again: PKIX path building failed: 2 Servers, different behaviour

[KMatle]

I've got 2 Servers running Apache with SSL and a valid cerificate. If you call the website, any browser works with SSL on both servers. Server one is a hosted one which was installed by IONOS. Server 2 is a VPS which I installed on my own.

When I call a php script via OKHttpUtils on Server 1 all is working well via SSL. Doing the same on Server 2 causes the PKIX error though browsers work like a charm. I've even installed the Server's certificate with InstallCert.jar. which is giving "javax.net.ssl.SSLPeerUnverifiedException: Hostname 217.xxx.xxx.xxx not verified:...."

Questions

1. Why does Java recognize Server 1's certificate "automatically"?

2. Why does one have to install the certificate via InstallCert.jar at all? (I thought it was handled via handshake?). This would mean that every website's certificate had to be installed manually? I can't think that this is meant to be that way.

PS: Will check Server 2 for issues but that doesn't explain why browsers work

 

[OliverA]

Who did you use for your SSL certificate? Which version of Java are you running on Server 2? First instinct: The SSL provider is not trusted by the default CA's known by Java. For information on this see https://confluence.atlassian.com/kb...kix-path-building-failed-error-779355358.html (scroll to the "Cause" section).

 

[KMatle]

Who did you use for your SSL certificate? Which version of Java are you running on Server 2? First instinct: The SSL provider is not trusted by the default CA's known by Java. For information on this see https://confluence.atlassian.com/kb...kix-path-building-failed-error-779355358.html (scroll to the "Cause" section).

It's

Encryption Everywhere DV TLS CA - G1
AIA: http://cacerts.digicert.com/EncryptionEverywhere....

for both servers. The testtool on that given site says "SSL is good".

I'm a bit lost because one works, the other doesn't.

 

[OliverA]

Are the java versions on both exactly the same? Came from the same source? Is each program using the correct version (in case multiple installed)?

 

[KMatle]

I do think it's a problem of my dev laptop's Java which uses JDK-11 (from the B4x website). So either the problem is my server not well configured OR Java 11 on my laptop.

 

[KMatle]

Will contact IONOS today and let them check it

 

[KMatle]

Here's the solution. Problem was the missing SSLCertificateChainFile file in ssl.conf (under httpd.conf.d):

SSLCertificateFile /etc/pki/tls/certs/yoursite_ssl_certificate.cer
SSLCertificateKeyFile /etc/pki/tls/private/_.yoursite_private_key.key
----> SSLCertificateChainFile /etc/pki/tls/certs/_.yoursite_ssl_certificate_INTERMEDIATE.cer <----

A lot of examples just use the first two which seems to work for most browsers but not for Java. The INTERMEDIATE file is also needed for the chain-check.