Java application rejecting certificate despite being added to the keystore

Hi all,

I've recently installed and LE cert to an openLDAP server I am running. I run two instances of Sonatype Nexus and I use LDAP authentication for both (which was working previously with a different CA cert). The configuration for both as far as LDAP auth is identical; however one is working and one is not.

I sucessfully imported the LE root certs to keystores on both machines. However, when I test the connection on the second one, I get a message stating:

"There is an error communicating with the server.Failed to connect to Ldap Server: simple bind failed: ldap.mydomain.com:636

Nexus returned an error: ERROR 400: Bad Request

Checking the logs, there are a bunch of what look like Java/cert related errors (I'm no Java expert but have managed to import to the keystore which is obviously pretty straightforward).

2016-06-08 08:46:34,367+0100 DEBUG [qtp365319977-46] admin org.sonatype.nexus.security.ldap.realms.test.api.LdapTestAuthenticationPlexusResource - Failed to connect to Ldap Server.
javax.naming.CommunicationException: simple bind failed: ldap.mydomain.com:636
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219) ~[na:1.8.0_91]
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788) ~[na:1.8.0_91]
at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:319) ~[na:1.8.0_91]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) ~[na:1.8.0_91]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) ~[na:1.8.0_91]
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) ~[na:1.8.0_91]
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) ~[na:1.8.0_91]
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[na:1.8.0_91]
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[na:1.8.0_91]
at javax.naming.InitialContext.init(InitialContext.java:244) ~[na:1.8.0_91]
at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:154) ~[na:1.8.0_91]
at org.sonatype.security.ldap.realms.DefaultLdapContextFactory.getLdapContext(DefaultLdapContextFactory.java:254) ~[na:na]
at org.sonatype.security.ldap.realms.DefaultLdapContextFactory.getSystemLdapContext(DefaultLdapContextFactory.java:239) ~[na:na]
at org.sonatype.security.ldap.dao.DefaultLdapConnectionTester.testConnection(DefaultLdapConnectionTester.java:53) ~[na:na]
at org.sonatype.nexus.security.ldap.realms.test.api.LdapTestAuthenticationPlexusResource.put(LdapTestAuthenticationPlexusResource.java:103) ~[na:na]
at org.sonatype.plexus.rest.resource.RestletResource.storeRepresentation(RestletResource.java:299) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.sonatype.nexus.rest.NexusRestletResource.storeRepresentation(NexusRestletResource.java:91) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.resource.Resource.put(Resource.java:706) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.resource.Resource.handlePut(Resource.java:603) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.Finder.handle(Finder.java:359) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.Filter.doHandle(Filter.java:150) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.Filter.handle(Filter.java:195) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.Router.handle(Router.java:504) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.Filter.doHandle(Filter.java:150) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.Filter.handle(Filter.java:195) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.Filter.doHandle(Filter.java:150) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.sonatype.plexus.rest.RetargetableRestlet.doHandle(RetargetableRestlet.java:36) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.Filter.handle(Filter.java:195) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.Filter.doHandle(Filter.java:150) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.Filter.handle(Filter.java:195) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.Filter.doHandle(Filter.java:150) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.Filter.handle(Filter.java:195) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.Filter.doHandle(Filter.java:150) [nexus-restlet1x-plugin-2.12.0-01/:na]
at com.noelios.restlet.StatusFilter.doHandle(StatusFilter.java:130) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.Filter.handle(Filter.java:195) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.Filter.doHandle(Filter.java:150) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.Filter.handle(Filter.java:195) [nexus-restlet1x-plugin-2.12.0-01/:na]
at com.noelios.restlet.ChainHelper.handle(ChainHelper.java:124) [nexus-restlet1x-plugin-2.12.0-01/:na]
at com.noelios.restlet.application.ApplicationHelper.handle(ApplicationHelper.java:112) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.Application.handle(Application.java:341) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.Filter.doHandle(Filter.java:150) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.Filter.handle(Filter.java:195) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.Router.handle(Router.java:504) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.Filter.doHandle(Filter.java:150) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.Filter.handle(Filter.java:195) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.Router.handle(Router.java:504) [nexus-restlet1x-plugin-2.12.0-01/:na]
at com.noelios.restlet.ChainHelper.handle(ChainHelper.java:124) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.Component.handle(Component.java:676) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.restlet.Server.handle(Server.java:331) [nexus-restlet1x-plugin-2.12.0-01/:na]
at com.noelios.restlet.ServerHelper.handle(ServerHelper.java:68) [nexus-restlet1x-plugin-2.12.0-01/:na]
at com.noelios.restlet.http.HttpServerHelper.handle(HttpServerHelper.java:147) [nexus-restlet1x-plugin-2.12.0-01/:na]
at com.noelios.restlet.ext.servlet.ServerServlet.service(ServerServlet.java:881) [nexus-restlet1x-plugin-2.12.0-01/:na]
at org.sonatype.nexus.restlet1x.internal.RestletServlet.service(RestletServlet.java:93) [nexus-restlet1x-plugin-2.12.0-01/:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) [javax.servlet-3.0.0.v201112011016.jar:na]
at com.google.inject.servlet.ServletDefinition.doServiceImpl(ServletDefinition.java:288) [guice-servlet-3.1.10.jar:3.1.10]
at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:278) [guice-servlet-3.1.10.jar:3.1.10]
at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:182) [guice-servlet-3.1.10.jar:3.1.10]
at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:93) [guice-servlet-3.1.10.jar:3.1.10]
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:85) [guice-servlet-3.1.10.jar:3.1.10]
at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) [shiro-web-1.2.3.jar:1.2.3]
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) [guice-servlet-3.1.10.jar:3.1.10]
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:112) [shiro-web-1.2.3.jar:1.2.3]
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) [guice-servlet-3.1.10.jar:3.1.10]
at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:120) [guice-servlet-3.1.10.jar:3.1.10]
at org.sonatype.nexus.web.internal.NexusGuiceFilter$MultiFilterChain.doFilter(NexusGuiceFilter.java:82) [nexus-core-2.12.0-01.jar:2.12.0-01]
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:89) [guice-servlet-3.1.10.jar:3.1.10]
at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:120) [guice-servlet-3.1.10.jar:3.1.10]
at org.sonatype.nexus.web.internal.NexusGuiceFilter$MultiFilterChain.doFilter(NexusGuiceFilter.java:82) [nexus-core-2.12.0-01.jar:2.12.0-01]
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:89) [guice-servlet-3.1.10.jar:3.1.10]
at com.sonatype.nexus.analytics.internal.RestRequestCollector.doFilter(RestRequestCollector.java:81) [nexus-analytics-plugin-2.12.0-01/:na]
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) [guice-servlet-3.1.10.jar:3.1.10]
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449) [shiro-web-1.2.3.jar:1.2.3]
at org.sonatype.nexus.web.internal.SecurityFilter.executeChain(SecurityFilter.java:90) [nexus-core-2.12.0-01.jar:2.12.0-01]
at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90) [shiro-core-1.2.3.jar:1.2.3]
at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83) [shiro-core-1.2.3.jar:1.2.3]
at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383) [shiro-core-1.2.3.jar:1.2.3]
at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) [shiro-web-1.2.3.jar:1.2.3]
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) [guice-servlet-3.1.10.jar:3.1.10]
at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:120) [guice-servlet-3.1.10.jar:3.1.10]
at org.sonatype.nexus.web.internal.NexusGuiceFilter$MultiFilterChain.doFilter(NexusGuiceFilter.java:82) [nexus-core-2.12.0-01.jar:2.12.0-01]
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:89) [guice-servlet-3.1.10.jar:3.1.10]
at com.yammer.metrics.web.WebappMetricsFilter.doFilter(WebappMetricsFilter.java:76) [metrics-web-2.2.0.jar:na]
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) [guice-servlet-3.1.10.jar:3.1.10]
at org.sonatype.nexus.web.internal.CommonHeadersFilter.doFilter(CommonHeadersFilter.java:69) [nexus-core-2.12.0-01.jar:2.12.0-01]
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) [guice-servlet-3.1.10.jar:3.1.10]
at org.sonatype.nexus.web.internal.ErrorPageFilter.doFilter(ErrorPageFilter.java:71) [nexus-core-2.12.0-01.jar:2.12.0-01]
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) [guice-servlet-3.1.10.jar:3.1.10]
at org.sonatype.nexus.web.internal.BaseUrlHolderFilter.doFilter(BaseUrlHolderFilter.java:66) [nexus-core-2.12.0-01.jar:2.12.0-01]
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) [guice-servlet-3.1.10.jar:3.1.10]
at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:120) [guice-servlet-3.1.10.jar:3.1.10]
at org.sonatype.nexus.web.internal.NexusGuiceFilter$MultiFilterChain.doFilter(NexusGuiceFilter.java:82) [nexus-core-2.12.0-01.jar:2.12.0-01]
at org.sonatype.nexus.web.internal.NexusGuiceFilter$MultiFilterPipeline.dispatch(NexusGuiceFilter.java:56) [nexus-core-2.12.0-01.jar:2.12.0-01]
at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:132) [guice-servlet-3.1.10.jar:3.1.10]
at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:129) [guice-servlet-3.1.10.jar:3.1.10]
at com.google.inject.servlet.GuiceFilter$Context.call(GuiceFilter.java:206) [guice-servlet-3.1.10.jar:3.1.10]
at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:129) [guice-servlet-3.1.10.jar:3.1.10]
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1476) [jetty-servlet-8.1.16.v20140903.jar:8.1.16.v20140903]
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:501) [jetty-servlet-8.1.16.v20140903.jar:8.1.16.v20140903]
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137) [jetty-server-8.1.16.v20140903.jar:8.1.16.v20140903]
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557) [jetty-security-8.1.16.v20140903.jar:8.1.16.v20140903]
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231) [jetty-server-8.1.16.v20140903.jar:8.1.16.v20140903]
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086) [jetty-server-8.1.16.v20140903.jar:8.1.16.v20140903]
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:429) [jetty-servlet-8.1.16.v20140903.jar:8.1.16.v20140903]
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193) [jetty-server-8.1.16.v20140903.jar:8.1.16.v20140903]
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020) [jetty-server-8.1.16.v20140903.jar:8.1.16.v20140903]
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135) [jetty-server-8.1.16.v20140903.jar:8.1.16.v20140903]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) [jetty-server-8.1.16.v20140903.jar:8.1.16.v20140903]
at com.yammer.metrics.jetty.InstrumentedHandler.handle(InstrumentedHandler.java:200) [metrics-jetty-2.2.0.jar:na]
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:154) [jetty-server-8.1.16.v20140903.jar:8.1.16.v20140903]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) [jetty-server-8.1.16.v20140903.jar:8.1.16.v20140903]
at org.eclipse.jetty.server.Server.handle(Server.java:370) [jetty-server-8.1.16.v20140903.jar:8.1.16.v20140903]
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494) [jetty-server-8.1.16.v20140903.jar:8.1.16.v20140903]
at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:982) [jetty-server-8.1.16.v20140903.jar:8.1.16.v20140903]
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1043) [jetty-server-8.1.16.v20140903.jar:8.1.16.v20140903]
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865) [jetty-http-8.1.16.v20140903.jar:8.1.16.v20140903]
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240) [jetty-http-8.1.16.v20140903.jar:8.1.16.v20140903]
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) [jetty-server-8.1.16.v20140903.jar:8.1.16.v20140903]
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696) [jetty-io-8.1.16.v20140903.jar:8.1.16.v20140903]
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53) [jetty-io-8.1.16.v20140903.jar:8.1.16.v20140903]
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608) [jetty-util-8.1.16.v20140903.jar:8.1.16.v20140903]
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) [jetty-util-8.1.16.v20140903.jar:8.1.16.v20140903]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_91]
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_91]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) ~[na:1.8.0_91]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[na:1.8.0_91]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[na:1.8.0_91]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) ~[na:1.8.0_91]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[na:1.8.0_91]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[na:1.8.0_91]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) ~[na:1.8.0_91]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) ~[na:1.8.0_91]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[na:1.8.0_91]
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747) ~[na:1.8.0_91]
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) ~[na:1.8.0_91]
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) ~[na:1.8.0_91]
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) ~[na:1.8.0_91]
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426) ~[na:1.8.0_91]
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:399) ~[na:1.8.0_91]
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359) ~[na:1.8.0_91]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214) ~[na:1.8.0_91]
... 138 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:352) ~[na:1.8.0_91]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:249) ~[na:1.8.0_91]
at sun.security.validator.Validator.validate(Validator.java:260) ~[na:1.8.0_91]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[na:1.8.0_91]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[na:1.8.0_91]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[na:1.8.0_91]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ~[na:1.8.0_91]
... 151 common frames omitted
Caused by: java.security.cert.CertPathValidatorException: timestamp check failed
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) ~[na:1.8.0_91]
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:219) ~[na:1.8.0_91]
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140) ~[na:1.8.0_91]
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79) ~[na:1.8.0_91]
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292) ~[na:1.8.0_91]
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:347) ~[na:1.8.0_91]
... 157 common frames omitted
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Fri Apr 22 00:59:59 BST 2016
at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) ~[na:1.8.0_91]
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629) ~[na:1.8.0_91]
at sun.security.provider.certpath.BasicChecker.verifyTimestamp(BasicChecker.java:190) ~[na:1.8.0_91]
at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144) ~[na:1.8.0_91]
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) ~[na:1.8.0_91]
... 162 common frames omitted

Sorry I included so much but I wanted to capture all the errors and I'm at my wits end, have spent days on this. Does anyone have any suggestions?

That would normally come up in case of expired certificate. Are you sure that a) certificate is not expired; b) your time settings on the machines involved are correct?

The certificate on the LDAP server doesn’t expire until late July, and the other instance of Nexus is authenticating against it with no issues. I just checked the time settings - again they are both the same, but I updated the settings on the one that isn’t working to UTC, same issue.

For those Nexus instances, is there any difference in terms of SSL trust store content? Basically go through the docs at https://books.sonatype.com/nexus-book/reference/ssl.html and see if anything looks differently on both instances regarding appropriate configs.

OK, thanks - I’ll go through and see what I can find.

Java says the certificate it was shown expired on the 21st of April, at a second before midnight UTC. Which is a suspicious time. I doubt you got a valid Let's Encrypt cert issued which just happens to have this exact time and which has now expired. So I suspect the certificate it's being shown isn't even a Let's Encrypt cert.

In my experience, when the computer says something you're 100% sure can't be true, that's because you're wrong and are about to have to slap yourself on the forehead. Certainly that's true for everybody I've ever worked with. So I would go back and check and re-check and have somebody else check to see that you don't have some old certificate configured somewhere, or some old machine answering LDAP requests, or whatever.

OK, seems the certificate wasn’t fed into the LDAP server properly. I don’t understand that, because it was working for one Nexus instance, as well as two other applications which used LDAP. After changing the certs correctly, I was able to connect using my test instance of Nexus (which had also been failing), however the production instance still doesn’t work. I’ve changed the log levels to try to get some useful information, but as the server is in constant use during the day I will need to wait until the morning to restart it, then test the connection and go through the logs. It’s now showing the correct cert when I test it with openssl, however, which is a step in the right direction.

As mentioned this is working on my test instance now but not on the production one.

The errors from the logs are slightly different I've imported the certs to the keystore and when I test using openssl the correct certs display. However when I try to test the LDAP connection I get this:

2016-06-09 06:06:19,114+0000 DEBUG [qtp2111748436-79] nexus.user org.sonatype.nexus.security.ldap.realms.test.api.LdapTestAuthenticationPlexusResource - Failed to connect to Ldap Server.
javax.naming.CommunicationException: simple bind failed: ldap.mydomain.com:636
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Does anyone have any ideas what these errors mean?

Whatever certificate is being shown to the Java code doesn't chain back to a trusted root.

You said that you've checked the "correct certs display" with openssl, but just to be clear what the "correct certs" will be here, they should be the leaf cert (for ldap.mydomain.com) and the matching Let's Encrypt intermediate. The correct intermediate will be named as the Issuer in the leaf cert. Just any old intermediate won't do it, it has to be the one that matches (same exact name including the X1 or X3 or whatever at the end) since the Java code needs to see how they form a chain linking back to the root.

If you used the chain supplied by certbot or another well-written client it will have chosen the right one, but it's just something to be aware of especially if you did any of this by hand.

Now, the roots are the next concern. You say you imported "the LE root certs". Note that perhaps confusingly Let's Encrypt is not currently issuing certificates which chain back to its published root ISRG Root X1. The intermediates currently used to sign certificates chain only to DST Root CA X3 operated by Identrust. For web users this is all fine, they trust DST Root CA X3 (in any vaguely modern browser) and haven't heard of ISRG Root X1 (probably coming to Firefox later this year, who knows for other browsers). Eventually ISRG will convene enough people to perform a key signing ritual and there will be a trust path to ISRG Root X1 from the intermediates again, but right now it doesn't matter... for most people.

If you really did trust only the "LE root" which is named ISRG Root X1, then no certificates issued by Let's Encrypt for the past few months will work with that. The easiest fix is to trust DST Root CA X3, which will bring you into line with what most web browsers are doing. An alternative, but more complicated to look after, would be to trust a named Let's Encrypt intermediate, such as Let's Encrypt Authority X3. That might become obsolete at any time though, with little or no notice from Let's Encrypt, whereupon any new certs you obtain won't use it any more.

Thanks a lot for the extra information.

Sorry, to be clear: I downloaded these three certificates to the Ubuntu machine running Nexus

isrgrootx1.pem
lets-encrypt-x3-cross-signed.der
lets-encrypt-x4-cross-signed.der

I then successfully imported all of these to the Java keystore. This was the same procedure I followed for my other production instance of Nexus as well as the test instance, and both of these worked.

I've now just imported DST ROOT CA X3 using the same procedure and the authentication is still failing.

I tried this to see the certificate chain:

openssl s_client -connect ldap.imydomain.com:636 -showcerts

And got this, which looks right to me:

CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0

Certificate chain
0 s:/CN=ldap.mydomain.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFFjCCA/6gAwIBAgISAww+bMsHEErgnzL7rFZmSIPVMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjA0MjMxNTI2MDBaFw0x
NjA3MjIxNTI2MDBaMCQxIjAgBgNVBAMTGWxkYXAuaW50ZXJuYWwuaWJib29zdC5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvahQAPUfGl6Q4w1jq
5GCWibvsRiC00BRlcdiMM1sZzJhmpNtC8pWbHiKM4PFBB7cxN9OXtIrd+cm7h96a
bt6bKB2Lv1KU58aBzHQJe7XhqdrKKyxPEsvv87ZG9stGgNAmDuAAJpVQyVRDqs75
n/AxBlBH1AfgzBqg+T2HhpIEVIwdfMJMdtMGumAVo1URzLtr6fU9ZCvhipvG4Jra
5ixbutkjoZP3C8s7kH0HYspM8lw6a4GgBlpEbj31HrItZewCGn/5y9EC69Ygu7TL
JSZNM6EplK4mK+O9ptwEuLpYLNmgmVszz2r3R01vy3P7rrfnAjsCTok7UKgnS4nC
JuaBAgMBAAGjggIaMIICFjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYB
BQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1
cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdp
dGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNl
bmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAPMZO/cPc
oxPVMqpJgURuONel9LHZ7nMCJR28PB1wJ0KumjlQyN79VybPoeYsxRa+uSQ691Km
GU6vfL6Z/1wcYszh5+ZGalKmy0giSfMAQ1eCJ4AbbfTxEliDQlajdNlMhP/sp5Mc
DxExFS62RR6pPycN9yM++SQ7rgmohvYr9juFME2M5zPSBoqDjwUfsI7P4yy2xHg+
Bzst+ICATks8wtGVkg0FqolHHu5pL5pWVYWJjZAqPaKPeRSHVetMkPy/3QzyPcqm
6TMcjYtLmXcS3He31ia/RY37mVw4kMZ1tBaHbZl/FhuH8/goF0A0q+NhVBEBGujS
t16/EkrdBkxkYg==
-----END CERTIFICATE-----
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4Mcne8IkCJLxWh9KEik3JHRRHGJouM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

Server certificate
subject=/CN=ldap.mydomain.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

No client certificate CA names sent

SSL handshake has read 3056 bytes and written 489 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 5B87386378FB6A2046524D1C859647D3
Session-ID-ctx:
Master-Key: FC65486D32BDBFBFB037753C
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1465540923
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)

Hi

Everything you described sounds right, although note that all those items you added to the trust store get trusted as roots on their own, so in theory at least you probably want to pick just one thing, maybe DST root. But I understand for debugging you just want to figure out what actually works and I sympathise, it certainly shouldn’t have made anything worse to have extra things in that root store so that’s not where your trouble lies.

The PEM text in your output seems to be corrupt, but I assume you’ve done that intentionally to mask the real names in the certificates, and based on the surrounding commentary from openssl it was content that the certs it actually saw are fine.

The best conclusion I can come to (without seeing your setup for myself) is that you’ve somehow managed not to add these certificates to the right Java keystore, or equivalently the application you’re using expects them to be in a different Java keystore. I know this pain fairly well (I maintain an application that uses more than five separate key stores…) but I won’t be able to be much help in diagnosing what’s wrong, sorry. You might need Sonatype Nexus experts from here. Good luck.

Hmm… I suspected the same thing - as I said, I’m no Java expert, so that was the only thing I could think of as well. And you’re right that I masked some of the certificate text (should have mentioned that). OK, I’ll move on elsewhere, at least I’m confident now that this part at least is being done correctly. Thanks for your help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.