What to do when The SSL certificate has expired

--Environment --Windows 10 Pro 64bit version 1909 - GitBash(mintty 3.1.0) - Payara Server 5.194

Event: When I looked at Payara's server.log, I found a lot.

server.log


[2020-04-22T17:36:57.020+0900] [Payara 5.194] [?x??] [NCLS-SECURITY-05054] [javax.enterprise.system.security.ssl] [tid: _ThreadID=54 _ThreadName=admin-thread-pool::admin-listener(1)] [timeMillis: 1587544617020] [levelValue: 900] [[
  The SSL certificate has expired: [
[
  Version: V3
  Subject: CN=Staat der Nederlanden Root CA - G2, O=Staat der Nederlanden, C=NL
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 4096 bits
  modulus: 8051226021100838930438588........
  public exponent: 65537
  Validity: [From: Wed Mar 26 20:18:17 JST 2008,
               To: Wed Mar 25 20:03:10 JST 2020]
  Issuer: CN=Staat der Nederlanden Root CA - G2, O=Staat der Nederlanden, C=NL
  SerialNumber: [    98968c]

Certificate Extensions: 4
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[2]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 31 68 74 74 70 3A 2F   2F 77 77 77 2E 70 6B 69  .1http://www.pki
0010: 6F 76 65 72 68 65 69 64   2E 6E 6C 2F 70 6F 6C 69  overheid.nl/poli
0020: 63 69 65 73 2F 72 6F 6F   74 2D 70 6F 6C 69 63 79  cies/root-policy
0030: 2D 47 32                                           -G2

]]  ]
]
...abridgement...

Cause: The SSL certificate has expired

What to do when SEC5054: Certificate has expired in Java EE GlassFish --Qiita

Action: Remove expired information from cacerts.jks

cacerts.jks?

The trust store (the "trust" store) stores only certificates that are trusted by the client. These certificates are CA root certificates, or self-signed certificates. When you install the logical host, you will find a truststore file named cacerts.jks in the following location: <c:\JavaCAPS>\appserver\domains<MyDomain>\config Keystore and Truststore (Java CAPS configuration with SSL support)

Even if I open cacerts.jks with an editor, I can't read it ... so I use the keytool utility.

Check if Java PATH is set in the shell environment to be used

Before you start To run the keytool utility, you need to configure your shell environment to include the J2SE / bin directory in your path. If not, you must specify the full path of the utility on the command line. Certificate Generation with keytool (Sun GlassFish Enterprise Server v3 Administration Guide)

  1. If you are using various versions, PATH may not be set, so check
  2. If PATH is not set, set it
$ java -version
java version "1.8.0_231"
Java(TM) SE Runtime Environment (build 1.8.0_231-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.231-b11, mixed mode)

How to check expired information

It seems that information can be displayed with keytool -list -v -keystore cacerts.jks.

The -list command prints the MD5 fingerprint of the certificate by default. The -v option prints the certificate in a human-readable format. On the other hand, if the -rfc option is specified, the certificate is output using the output-capable encoding method. -storepass storepass Specify the password used to protect the integrity of the keystore. keytool-Key and certificate management tool

And the password information was introduced on the following site

Master password is "change it" What to do when SEC5054: Certificate has expired in Java EE GlassFish --Qiita

#If you output to the screen, a lot of information will be output, so if you want to output all, you should redirect to a file
$ keytool -list -v -keystore cacerts.jks -storepass changeit
alias: cert_92_ca_disig_root_r192
Created date: 2018/01/23
Entry type: trustedCertEntry

owner: CN=CA Disig Root R1, O=Disig a.s., L=Bratislava, C=SK
Issuer: CN=CA Disig Root R1, O=Disig a.s., L=Bratislava, C=SK
Serial number: c3039aee50906e28
Validity start date: Thu Jul 19 18:06:56 JST 2012 end date: Sat Jul 19 18:06:56 JST 2042
...abridgement...

#You need the "alias" and "expiration period" lines to see the expiration date, but you still see a fair amount
$ keytool -list -v -keystore cacerts.jks -storepass changeit | grep -e alias-e Validity period
alias: cert_115_staat_der_nederlanden_root_ca___g3115
Validity start date: Thu Nov 14 20:28:42 JST 2013 end date: Tue Nov 14 08:00:00 JST 2028
alias: ssl.comrootcertificationauthorityrsa
Validity start date: Sat Feb 13 02:39:39 JST 2016 end date: Wed Feb 13 02:39:39 JST 2041
alias: cert_21_xramp_global_ca_root21
...abridgement...

Delete expired information

# 1. cacerts.Move to the directory with jks
$ cd /c/apps/payara5/glassfish/domains/domain1/config/

# 2. cacerts.Back up jks
$ cp cacerts.jks cacerts.jks.bak
$ ls -la | grep cacerts
-rw-r--r--1 ponsuke 1049089 380598 November 29 20:05 cacerts.jks
-rw-r--r--1 ponsuke 1049089 380598 April 23 13:29 cacerts.jks.bak

# 3.Grep aliases for information that has expired before 2020
$ keytool -list -v -keystore cacerts.jks -storepass changeit | grep -e alias-e Validity period| grep -B 1 201[0-9]$
alias: entrust2048ca
Validity start date: Sat Dec 25 02:50:51 JST 1999 End date: Wed Dec 25 03:20:51 JST 2019

# 4.Grep aliases for information that has expired in 2020
$ keytool -list -v -keystore cacerts.jks -storepass changeit | grep -e alias-e Validity period| grep -B 1 2020$
alias: staatdernederlandenrootca-g2
Validity start date: Wed Mar 26 20:18:17 JST 2008 end date: Wed Mar 25 20:03:10 JST 2020
--
alias: equifaxsecureebusinessca1
...abridgement...

# 5.Delete information that has expired before 2020
$ keytool -delete -keystore cacerts.jks  -storepass changeit -alias entrust2048ca

# 6.Delete the most recently expired information that has expired in 2020
$ keytool -delete -keystore cacerts.jks  -storepass changeit -alias staatdernederlandenrootca-g2

$ keytool -delete -keystore cacerts.jks  -storepass changeit -alias equifaxsecureebusinessca1
...abridgement...

# 7.Restart Payara
$ asadmin restart-domain domain1
Successfully restarted the domain
Command restart-domain executed successfully.

# 8. server.Check the log to see if there is any expired information left
$ tail ../logs/server.log

Recommended Posts

What to do when The SSL certificate has expired
What to do when javax.batch.operations.JobStartException occurs
What to do when a javax.el.PropertyNotWritableException occurs
What to do when the changes in the Servlet are not reflected
What to do when undefined method ʻuser_signed_in?'
What to do if you go offline due to SSL certificate error when running Jenkins on Mac
[IOS] What to do when the image is filled with one color
What to do if the server tomcat dies
What to do when debugging "Source not found"
What do you use when converting to String?
What to do when IllegalStateException occurs in PlayFramework
What to do when the value becomes null in the second getSubmittedValue () in JSF Validator
What to do when rails db: seed does not reflect in the database
[Grails] Error occurred running What to do when the Grails CLI does not start
What to do if the debug gem installation fails
What to do if the Rails server can't start
What to do when JSF tags do not become HTML
What to do if ClassNotFoundException occurs when starting Tomcat
What should I do to reload the updated Dockerfile?
What to do when a null byte error occurs
What to do when rails creates a 〇〇 2.rb file
Error ExecJS :: RuntimeUnavailable: What to do when it occurs
ParseException: What to do when Unparseable date is reached
[React.useRef] What to do when the latest state cannot be referenced in the event listener
What to do when "Fail to load the JNI shared library" is displayed in Eclipse
What to do when it becomes Unable to find CDI BeanManager.
What I was addicted to when introducing the JNI library
What to do when Method not found in f: ajax
What to do when you launch an application with rails
What to do when Cannot apply expression operators to method binding
What to do if the adb command cannot be executed
What to do if you can't use the rails command
[Joke] What to do when the invalid sample rate is reached when using Mixxx on Ubuntu 20.04
[Rails Tutorial Chapter 2] What to do when you make a mistake in the column name
What to do when Rails on Docker does not reflect controller changes in the browser
[Rails] What to do when the view collapses when a message is displayed with the errors method
What to do when "relation" hibernate_sequence "does not exist" in the ID column of PostgreSQL + JPA
[Ubuntu 20.04] What to do if the external monitor is not recognized
What to do if validation doesn't work with the update action
[Programming beginner] What to do when rails s becomes an error in the local development environment
What to do when Gradle says "For more information, please recompile with the -Xlint: unchecked option"
[Ruby] What to do when the error "cannot load such file" appears when executing VS Code debug
What to do if the Rails page doesn't appear in Rails tutorial 1.3.2
What to do when you want to know the source position where the method is defined in binding.pry
What to do if Cloud9 is full in the Rails tutorial
What to do if the Eclipse Maven dependency Jar is wrong
[Rails] What to do when rails s does not respond or does not stop
java.security.InvalidKeyException: What to do when Illegal key size or default parameters
What to do after Vagrant install
When will you do the refactoring?
What to do when you become a Problem During Content Assist
What to do if the app is not created with the latest Rails version installed when rails new
What to do when you run into a docker-compose node_modules problem
What to do if you forget the root password in CentOS7
What to do when Maven says "For more information, please recompile with the -Xlint: unchecked option"
What to do if you cannot roll back the migration (UnknownMigrationVersionError)
What to do when javax.el.ELException: Not a Valid Method Expression: appears when the JSF screen is displayed
What to do if Operation not permitted is displayed when you execute a command in the terminal
Memorandum: What I was addicted to when I hit the accounting freee API
What I thought when passing the user input value to the Service class
What to do if the background image is not applied after deployment