I have two java applications. Java application "L" calls REST API hosted by java application "D". It was working fine until "D"s certificate expired. I changed the CA from digicert to Telia. Now I could see from "L"s logs that API calls are failing without any proper error message. I couldn't see any error messages from the "D"'s logs as well. I suspected failure at the SSL level. So I tried using curl to call the API from "L"'s machine. Curl command is able to call the API successfully. So I took TCP dump of the traffic between "L" and "D" and I could see this:
3 5 0.0032 (0.0000) S>C Handshake
ServerHelloDone
3 6 0.0042 (0.0010) C>S Alert
level fatal
value certificate_unknown
I think "certificate_unknown" means the "L" is not able to get the root CA file in the new Telia cert chain. Is my understanding correct? but why is curl command working then? Does java not have access to the system root CAs?
Check the truststore of L. It must either contain D's current certificate, or any of the signing authorities' certificate - otherwise L will not trust that it is communicating to the intended D and stop communicating.
There should be an exception thrown on L side about this, but it depends what L sends to the log or stdout before you can see it.