I have a grails application that attempts to use OpenID4Java to authenticate with our own OpenID provider.
The certificate our provider presents is from RapidSSL has been signed by GeoTrust Global.
Browsers accept the certificate automatically.
I'm on a Mac and attempting to add the GeoTrustGlobalCA to cacerts at /Library/Java/Home/lib/security/cacerts results in the prompt Certificate already exists in keystore under alias <keychainrootca-132> I added it again anyway.
Starting grails within STS with -Djavax.net.debug=ssl run-app -https
I can find the following in the output;
adding as trusted cert:
Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Algorithm: RSA; Serial number: 0x23456
Valid from Tue May 21 14:00:00 EST 2002 until Sat May 21 14:00:00 EST 2022
adding as trusted cert:
Subject: CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US
Issuer: CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US
Algorithm: RSA; Serial number: 0x18acb56afd69b6153a636cafdafac4a1
Valid from Mon Nov 27 11:00:00 EST 2006 until Thu Jul 17 09:59:59 EST 2036
However attempting to access the service from the application results in;
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:339)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:123)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:147)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:101)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:381)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554)
at org.openid4java.util.HttpCache.head(HttpCache.java:335)
at org.openid4java.discovery.yadis.YadisResolver.retrieveXrdsLocation(YadisResolver.java:400)
at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:248)
at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:232)
at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:166)
at org.openid4java.discovery.Discovery.discover(Discovery.java:147)
at org.openid4java.discovery.Discovery.discover(Discovery.java:129)
at org.openid4java.consumer.ConsumerManager.discover(ConsumerManager.java:542)
at org.openid4java.consumer.ConsumerManager$discover.call(Unknown Source)
We resolved the issue with an additional Apache directive along the lines of
SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt
It seems that we needed an intermediate CA entry because of who our issuer was.