[oXygen-user] oXygen-user Digest, Vol 111, Issue 7
Oxygen XML Editor Support (Adrian Buza)
support at oxygenxml.com
Fri Jan 24 05:31:17 CST 2020
Hello,
Note that asking whether you trust a site and actually being able to
establish a secure connection to that site are two different things.
> <oXygen/> first asked whether I wanted to allow and trust the site
This is indeed Oxygen asking if you will allow opening a resource from a
website that is not listed in its trusted hosts (Options > Preferences,
Network Connection Settings > Trusted Hosts)
> and when I told it that I did, <oXygen/> refused to load it, telling
> me that:
>> Cannot open the specified file.
>> There was a problem establishing the secure HTTPS connection. In case
>> the server you are trying to connect to uses self-signed
>> certificates, read the 'Troubleshooting HTTPS' section from the user
>> manual.
>> Full error message: sun.security.validator.ValidatorException: PKIX
>> path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: *unable
>> to find valid certification path to requested target*
Oxygen is a Java application and this is the underlying Java HTTPS/SSL
protocol saying it cannot verify the certificate used by the site and
thus cannot establish a secure connection.
The most common problem in such cases is that the HTTPS server either
uses a self signed certificate or is not correctly configured in that it
only provides the certificate itself (which may be issued by an
authority), but without the intermediate certificate (or chain of
certificates) up to the trusted root certificate of the authority.
Web browsers sometimes have the intermediate certificate in their
trusted keystore, but Java doesn't.
> When I browse my Keychain (under System Roots -> Certificates) I see
> "DST Root CA X3", and nothing else that comes close to matching what I
> see when I view the certificate in Chrome.
> I was notified that "Certificate already exists in system-wide CA
> keystore under alias <identrustdstx3>
Since you mention that is says the certificate already exists, the root
isn't the certificate that is missing, it's most likely an intermediate
certificate that is missing.
You can check the site in question with an online SSL test tool like
https://www.ssllabs.com/ssltest/
Look for "Chain issues" in the report and look for Java 8 in the list of
"Handshake Simulation".
Anyway, on macOS it's a somewhat difficult process to actually import
the site certificate to the Java trusted keystore. A simple workaround
is to check the option "Automatically accept a security certificate,
even if invalid" from "Options > Preferences, Network Connection
Settings / HTTP(S)/WebDAV".
Please note that this is a global option, so this applies to all sites.
Regards,
Adrian
On 16.01.2020 20:23, David Birnbaum wrote:
> Dear oxygen-user,
>
> Thank you, Lee, for pointing me toward the online explanation, but it
> doesn't help. The instructions seem to have been written for Windows,
> and I tried adapting them for MacOS, so perhaps that's the source of
> my difficulty. Here are the details:
>
> A few data points:
>
> I see no option when viewing the certificate in either Chrome or
> Firefox (by clicking on the security icon to the immediately left of
> the URL) to export or save the certificate. The instructions at the
> link Lee mentioned say that I should be able to view a certificate
> from the browser and then save it to file, but I don't see an option
> to do that.
>
> The browser accepts the certificate without a question, and doesn't
> report it as self-signed. It is reported as issued by "Let's Encrypt
> Authority X3" (under "DST Root CA X3"). Only <oXygen/> seems to think
> that it is self-signed.
>
> What I tried:
>
> When I browse my Keychain (under System Roots -> Certificates) I see
> "DST Root CA X3", and nothing else that comes close to matching what I
> see when I view the certificate in Chrome. I guessed that this was
> what I wanted, and I exported it from the Keychain, navigated to the
> JRE folder for <oXygen/>, adjusted the instructions for MacOS (they
> were written for Windows, with backslashes and explicit paths), and
> ran the import command. I was notified that "Certificate already
> exists in system-wide CA keystore under alias <identrustdstx3> Do you
> still want to add it to your own keystore?". I told it "no" and
> restarted <oXygen/> and was not able to open the remote URL. So I ran
> the import again, told it "yes" this time, restarted <oXygen/>, and
> got the same error about not being able to open the URL.
>
> Best,
>
> David
>
> On Thu, Jan 16, 2020 at 1:00 PM <oxygen-user-request at oxygenxml.com
> <mailto:oxygen-user-request at oxygenxml.com>> wrote:
>
> Send oXygen-user mailing list submissions to
> oxygen-user at oxygenxml.com <mailto:oxygen-user at oxygenxml.com>
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.oxygenxml.com/mailman/listinfo/oxygen-user
> or, via email, send a message with subject or body 'help' to
> oxygen-user-request at oxygenxml.com
> <mailto:oxygen-user-request at oxygenxml.com>
>
> You can reach the person managing the list at
> oxygen-user-owner at oxygenxml.com
> <mailto:oxygen-user-owner at oxygenxml.com>
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of oXygen-user digest..."
>
>
> Today's Topics:
>
> 1. Re: self-signed certificates (Hart, Lee)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 15 Jan 2020 17:25:41 +0000
> From: "Hart, Lee" <hleehart at amazon.com <mailto:hleehart at amazon.com>>
> To: "oxygen-user at oxygenxml.com <mailto:oxygen-user at oxygenxml.com>"
> <oxygen-user at oxygenxml.com <mailto:oxygen-user at oxygenxml.com>>
> Subject: Re: [oXygen-user] self-signed certificates
> Message-ID:
>
> <5e20df9778d24e24bfbf3c16dedb7409 at EX13D13UWB003.ant.amazon.com
> <mailto:5e20df9778d24e24bfbf3c16dedb7409 at EX13D13UWB003.ant.amazon.com>>
> Content-Type: text/plain; charset="utf-8"
>
> I tried opening a file from a URL on a site that uses a
> self-signed certificate. <oXygen/> first asked whether I wanted to
> allow and trust the site, and when I told it that I did, <oXygen/>
> refused to load it, telling me that:
>
> Cannot open the specified file.
> There was a problem establishing the secure HTTPS connection. In
> case the server you are trying to connect to uses self-signed
> certificates, read the 'Troubleshooting HTTPS' section from the
> user manual.
> Full error message: sun.security.validator.ValidatorException:
> PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
>
> I'm running XML Editor 21.1, build 2019120214, with the bundled
> Java, on MacOS Mojave. How do I communicate to <oXygen/> that it
> should trust this site? I tried adding an exception for the site
> to my Java configuration, which didn't help, and I then realized
> that that was probably because those exceptions are for my system
> Java, and <oXygen/> is using its own.
>
> The instructions at Troubleshooting
> HTTPS<https://www.oxygenxml.com/doc/versions/21.1/ug-author/topics/import-https-server-certificate.html>
> in the user manual seem straightforward – where did you have
> problems following them?
>
> Lee
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <http://www.oxygenxml.com/pipermail/oxygen-user/attachments/20200115/5d80001d/attachment-0001.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> oXygen-user mailing list
> oXygen-user at oxygenxml.com <mailto:oXygen-user at oxygenxml.com>
> https://www.oxygenxml.com/mailman/listinfo/oxygen-user
>
>
> ------------------------------
>
> End of oXygen-user Digest, Vol 111, Issue 7
> *******************************************
>
>
> _______________________________________________
> oXygen-user mailing list
> oXygen-user at oxygenxml.com
> https://www.oxygenxml.com/mailman/listinfo/oxygen-user
--
Adrian Buza
oXygen XML Editor and Author Support
Tel: +1-650-352-1250 ext.2020
Fax: +40-251-461482
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.oxygenxml.com/pipermail/oxygen-user/attachments/20200124/324e08d7/attachment.html>
More information about the oXygen-user
mailing list