SSL HandShake Exception

Question

SSL HandShake Exception

I am using an SSL connection to connect a web client to a server. It has been working without any problems for a long time. But from yesterday he gives the following error, can someone tell me the reason.

javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown at com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1172) at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:65) at net.schubart.fixme.internal.MessageInput.readExactly(MessageInput.java:166) at net.schubart.fixme.internal.MessageInput.readMessage(MessageInput.java:78) at cc.aot.itsWeb.ClientWriterThread.run(ClientWriterThread.java:241) at java.lang.Thread.run(Thread.java:619) clientWriter.ready Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1586) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:865) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1029) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:621) at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59) at java.io.OutputStream.write(OutputStream.java:58) at net.schubart.fixme.internal.Message.write(Message.java:267) at net.schubart.fixme.internal.MessageOutput.writeMessage(MessageOutput.java:53)

+6

java ssl

ganuke Sep 23 '10 at 4:37

source share

10 answers

user3430832 · Answer 1 · 2014-03-17T21:58:43+0000

I spent more than 12 hours on this problem. After creating a self-signed certificate, you must export this certificate to a cacert file. In my case, it was in /usr/lib/java/jre/lib/security/cacert . You can export the certificate using keytool (maybe you need root access):

 $ sudo keytool -exportcert -alias keyStoreAlias -keystore \ keyStoreKeys.keys -file /usr/local/java/jre/lib/security/cacerts

Joshua michael calafell · Answer 2 · 2014-11-28T15:30:15+0000

You are having problems with certificates. The following is a list of things you might need before working with a secure SSL program. There must be a trust store, a keystore, and certificates must be added. To add a key to your cacerts file, as in step 6, the computer may ask you for a password that you do not know. This is most likely a "changeit"

1) To create a new keystore and a self-signed certificate with the corresponding public / private keys:

  keytool -genkeypair -alias "username" -keyalg RSA -validity 7 -keystore keystore

2) Explore the keystore:

 keytool -list -v -keystore keystore

3) Export and verify a self-signed certificate:

 keytool -export -alias "username" -keystore keystore -rfc -file "username".cer

4) Import the certificate into the new trust store:

 keytool -import -alias "username" -file "username".cer -keystore truststore

5) Explore the trust store:

 keytool -list -v -keystore truststore

6) Add to keystore (this is what you are looking for):

 sudo keytool -import -file "username".cer -alias "username" -keystore "path-to-keystore"

On some systems, this is located in

 /usr/lib/jvm/<java version folder>/jre/lib/security/cacerts

and on other systems it’s something like

 /etc/ssl/certs/java/cacerts

Check out this project on Git-Hub if you need more clarification: https://github.com/rabbitfighter81/JSSLInfoCollectionServer And here is a shell script that helps with keys. https://github.com/rabbitfighter81/SSLKeytool

Steven · Answer 3 · 2010-09-23T06:50:24+0000

Check that the certificate is valid, you can do it using your browser.

David grant · Answer 4 · 2011-05-05T10:57:37+0000

The certificate provided by the server is not trusted. This may be due to the expiration of the certificate or a trust manager who cannot establish a chain of trust for any of the certificates in your trust store.

fancy · Answer 5 · 2013-03-01T12:04:33+0000

If you really need, you can accept all certificates. But keep in mind that this is really ugly.

Take a look.

Ryan d · Answer 6 · 2014-03-17T22:03:17+0000

First I have to check if the certificate has expired. When working with suppliers, you have come across this many times. They can renew their certificates without telling us.

sealz · Answer 7 · 2012-02-08T14:56:31+0000

You can verify the certificate through a browser.

In Internet Explorer

 Right Click >> Properties >> Certificates

After that, in the "Certificates" window, you can also view the entire certificate tree.

If you have an invalid certificate, you can see the solution using the keytool .

Keytool Commands

Rusty umt · Answer 8 · 2014-01-14T12:24:23+0000

I think you need to add storage in jre1.6 cacert . Then deploy your server again. How can you add keystore PORTECLE . it is very useful.

Mikematic · Answer 9 · 2016-07-20T19:53:06+0000

This "certificate_unknown" is a very misleading error message. This is the same error message that is issued when a certificate has expired, even if it is in a trusted store. I suggest checking the validity of the certificate before spending your time on anything else.

Zds · Answer 10 · 2018-03-16T16:58:16+0000

When I received this error, the problem was that the server certificate used the SHA1withRSA signature algorithm and the Android 8.0 client. Switching to a SHA256withRSA-based server certificate resolved the issue.

SSL HandShake Exception

More articles: