SSL Peer Not Authenticated error with HttpClient 4 1

Question

I am building a simple app monitor to poll one of our API URLs and email us if it can t get a HTTP 200 status code from the response  this would indicate our API is down for some reason    I am using HttpClient 4 1  this is important because its API differs greatly from 3 x    Our API is secure with SSL  however entering      http   example com our-api   into a web browser redirects you to     https   example com our-api   Without causing any errors   When HttpClient attempts to hit this URL  http   example com our-api   it fails with a javax net ssl SSLPeerUnverifiedException exception with a message stating      peer not authenticated   I see this happening a lot for other people as is evidenced by this post  which also provides some ways of circumventing this problem - a solution that I am going to try and implement tonight in fact    What this other post  and the other similar ones to it  do not do is explain why this is happening in the first place  So  rather than ask  how do I fix this   I figured I would ask  why is this happening   Before I go barging ahead with one of the proposed solutions  I d like to know what the problem is that I m attempting to fix  -

User · Answer

This is thrown when          the peer was not able to identify itself  for example  no   certificate  the particular cipher suite being used does not support   authentication  or no peer authentication was established during SSL   handshaking  this exception is thrown    Probably the cause of this exception  where is the stacktrace  will show you why this exception is thrown  Most likely the default keystore shipped with Java does not contain  and trust  the root certificate of the TTP that is being used   The answer is to retrieve the root certificate  e g  from your browsers SSL connection   import it into the cacerts file and trust it using keytool which is shipped by the Java JDK  Otherwise you will have to assign another trust store programmatically

User · Answer

keytool -import -v -alias cacerts -keystore cacerts jks -storepass changeit -file C  cacerts cer

User · Answer

If the server s certificate is self-signed  then this is working as designed and you will have to import the server s certificate into your keystore   Assuming the server certificate is signed by a well-known CA  this is happening because the set of CA certificates available to a modern browser is much larger than the limited set that is shipped with the JDK JRE   The EasySSL solution given in one of the posts you mention just buries the error  and you won t know if the server has a valid certificate   You must import the proper Root CA into your keystore to validate the certificate   There s a reason you can t get around this with the stock SSL code  and that s to prevent you from writing programs that behave as if they are secure but are not

User · Answer

Im not a java developer but was using a java app to test a RESTful API  In order for me to fix the error I had to install the intermediate certificates in the webserver in order to make the error go away  I was using lighttpd  the original certificate was installed on an IIS server  Hope it helps  These were the certificates I had missing on the server     CA crt UTNAddTrustServer CA crt AddTrustExternalCARoot crt

[java] SSL "Peer Not Authenticated" error with HttpClient 4.1

Examples related to java

Examples related to ssl

Examples related to httpclient

Examples related to ssl-certificate