<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hello,<br>
<br>
Note that asking whether you trust a site and actually being able to
establish a secure connection to that site are two different things.<br>
<blockquote type="cite"><oXygen/> first asked whether I wanted
to allow and trust the site</blockquote>
This is indeed Oxygen asking if you will allow opening a resource
from a website that is not listed in its trusted hosts (Options >
Preferences, Network Connection Settings > Trusted Hosts)<br>
<br>
<blockquote type="cite">and when I told it that I did,
<oXygen/> refused to load it, telling me that:
<blockquote type="cite">Cannot open the specified file.<br>
There was a problem establishing the secure HTTPS connection. In
case the server you are trying to connect to uses self-signed
certificates, read the 'Troubleshooting HTTPS' section from the
user manual.<br>
Full error message: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: <b>unable
to find valid certification path to requested target</b></blockquote>
</blockquote>
Oxygen is a Java application and this is the underlying Java
HTTPS/SSL protocol saying it cannot verify the certificate used by
the site and thus cannot establish a secure connection.<br>
The most common problem in such cases is that the HTTPS server
either uses a self signed certificate or is not correctly configured
in that it only provides the certificate itself (which may be issued
by an authority), but without the intermediate certificate (or chain
of certificates) up to the trusted root certificate of the
authority.<br>
Web browsers sometimes have the intermediate certificate in their
trusted keystore, but Java doesn't.<br>
<br>
<blockquote type="cite">When I browse my Keychain (under System
Roots -> Certificates) I see "DST Root CA X3", and nothing else
that comes close to matching what I see when I view the
certificate in Chrome.</blockquote>
<blockquote type="cite">I was notified that "Certificate already
exists in system-wide CA keystore under alias
<identrustdstx3></blockquote>
Since you mention that is says the certificate already exists, the
root isn't the certificate that is missing, it's most likely an
intermediate certificate that is missing.<br>
<br>
You can check the site in question with an online SSL test tool like
<a class="moz-txt-link-freetext" href="https://www.ssllabs.com/ssltest/">https://www.ssllabs.com/ssltest/</a><br>
Look for "Chain issues" in the report and look for Java 8 in the
list of "Handshake Simulation".<br>
<br>
Anyway, on macOS it's a somewhat difficult process to actually
import the site certificate to the Java trusted keystore. A simple
workaround is to check the option "<span class="ph uicontrol">Automatically
accept a security certificate, even if invalid" from </span>"Options
> Preferences, Network Connection Settings / HTTP(S)/WebDAV".<br>
Please note that this is a global option, so this applies to all
sites.<br>
<br>
Regards,<br>
Adrian<br>
<br>
<div class="moz-cite-prefix">On 16.01.2020 20:23, David Birnbaum
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAP4v81qeDT++fH=2WujdUzsLPwxLX-r0Qr4ZLpWS9accDUvZow@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Dear oxygen-user,
<div><br>
</div>
<div>Thank you, Lee, for pointing me toward the online
explanation, but it doesn't help. The instructions seem to
have been written for Windows, and I tried adapting them for
MacOS, so perhaps that's the source of my difficulty. Here are
the details:</div>
<div><br>
</div>
<div>A few data points:</div>
<div><br>
</div>
<div>I see no option when viewing the certificate in either
Chrome or Firefox (by clicking on the security icon to the
immediately left of the URL) to export or save the
certificate. The instructions at the link Lee mentioned say
that I should be able to view a certificate from the browser
and then save it to file, but I don't see an option to do
that.</div>
<div><br>
</div>
<div>The browser accepts the certificate without a question, and
doesn't report it as self-signed. It is reported as issued by
"Let's Encrypt Authority X3" (under "DST Root CA X3"). Only
<oXygen/> seems to think that it is self-signed.</div>
<div><br>
</div>
<div>What I tried:</div>
<div><br>
</div>
<div>When I browse my Keychain (under System Roots ->
Certificates) I see "DST Root CA X3", and nothing else that
comes close to matching what I see when I view the certificate
in Chrome. I guessed that this was what I wanted, and I
exported it from the Keychain, navigated to the JRE folder for
<oXygen/>, adjusted the instructions for MacOS (they
were written for Windows, with backslashes and explicit
paths), and ran the import command. I was notified that
"Certificate already exists in system-wide CA keystore under
alias <identrustdstx3> Do you still want to add it to
your own keystore?". I told it "no" and restarted
<oXygen/> and was not able to open the remote URL. So I
ran the import again, told it "yes" this time, restarted
<oXygen/>, and got the same error about not being able
to open the URL.</div>
<div><br>
</div>
<div>Best,</div>
<div><br>
</div>
<div>David</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Jan 16, 2020 at 1:00
PM <<a href="mailto:oxygen-user-request@oxygenxml.com"
moz-do-not-send="true">oxygen-user-request@oxygenxml.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Send
oXygen-user mailing list submissions to<br>
<a href="mailto:oxygen-user@oxygenxml.com"
target="_blank" moz-do-not-send="true">oxygen-user@oxygenxml.com</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a
href="https://www.oxygenxml.com/mailman/listinfo/oxygen-user"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://www.oxygenxml.com/mailman/listinfo/oxygen-user</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:oxygen-user-request@oxygenxml.com"
target="_blank" moz-do-not-send="true">oxygen-user-request@oxygenxml.com</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:oxygen-user-owner@oxygenxml.com"
target="_blank" moz-do-not-send="true">oxygen-user-owner@oxygenxml.com</a><br>
<br>
When replying, please edit your Subject line so it is more
specific<br>
than "Re: Contents of oXygen-user digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: self-signed certificates (Hart, Lee)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Wed, 15 Jan 2020 17:25:41 +0000<br>
From: "Hart, Lee" <<a href="mailto:hleehart@amazon.com"
target="_blank" moz-do-not-send="true">hleehart@amazon.com</a>><br>
To: "<a href="mailto:oxygen-user@oxygenxml.com"
target="_blank" moz-do-not-send="true">oxygen-user@oxygenxml.com</a>"
<<a href="mailto:oxygen-user@oxygenxml.com" target="_blank"
moz-do-not-send="true">oxygen-user@oxygenxml.com</a>><br>
Subject: Re: [oXygen-user] self-signed certificates<br>
Message-ID:<br>
<<a
href="mailto:5e20df9778d24e24bfbf3c16dedb7409@EX13D13UWB003.ant.amazon.com"
target="_blank" moz-do-not-send="true">5e20df9778d24e24bfbf3c16dedb7409@EX13D13UWB003.ant.amazon.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
I tried opening a file from a URL on a site that uses a
self-signed certificate. <oXygen/> first asked whether I
wanted to allow and trust the site, and when I told it that I
did, <oXygen/> refused to load it, telling me that:<br>
<br>
Cannot open the specified file.<br>
There was a problem establishing the secure HTTPS connection.
In case the server you are trying to connect to uses
self-signed certificates, read the 'Troubleshooting HTTPS'
section from the user manual.<br>
Full error message:
sun.security.validator.ValidatorException: PKIX path building
failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target<br>
<br>
I'm running XML Editor 21.1, build 2019120214, with the
bundled Java, on MacOS Mojave. How do I communicate to
<oXygen/> that it should trust this site? I tried adding
an exception for the site to my Java configuration, which
didn't help, and I then realized that that was probably
because those exceptions are for my system Java, and
<oXygen/> is using its own.<br>
<br>
The instructions at Troubleshooting HTTPS<<a
href="https://www.oxygenxml.com/doc/versions/21.1/ug-author/topics/import-https-server-certificate.html"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://www.oxygenxml.com/doc/versions/21.1/ug-author/topics/import-https-server-certificate.html</a>>
in the user manual seem straightforward – where did you have
problems following them?<br>
<br>
Lee<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a
href="http://www.oxygenxml.com/pipermail/oxygen-user/attachments/20200115/5d80001d/attachment-0001.html"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://www.oxygenxml.com/pipermail/oxygen-user/attachments/20200115/5d80001d/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
oXygen-user mailing list<br>
<a href="mailto:oXygen-user@oxygenxml.com" target="_blank"
moz-do-not-send="true">oXygen-user@oxygenxml.com</a><br>
<a
href="https://www.oxygenxml.com/mailman/listinfo/oxygen-user"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://www.oxygenxml.com/mailman/listinfo/oxygen-user</a><br>
<br>
<br>
------------------------------<br>
<br>
End of oXygen-user Digest, Vol 111, Issue 7<br>
*******************************************<br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
oXygen-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:oXygen-user@oxygenxml.com">oXygen-user@oxygenxml.com</a>
<a class="moz-txt-link-freetext" href="https://www.oxygenxml.com/mailman/listinfo/oxygen-user">https://www.oxygenxml.com/mailman/listinfo/oxygen-user</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Adrian Buza
oXygen XML Editor and Author Support
Tel: +1-650-352-1250 ext.2020
Fax: +40-251-461482
</pre>
</body>
</html>