JAVA don't trust Let's Encrypt


#1

Hi !

I got LE cert for my Unifi controller. to be able to make payments in my hotspot portal. When i goes to my controller website (unifi.leptitcampeur.ca) it shows me the green padlock, with valid cert.

When a guest connect to my hotspot, the guest is redirected to a portal, to choose a plan for his internet, and can make a payment to get access to internet.

When we enter in the portal, we got the green padlock, so everything seems to be good, but when we want to process payment, we got an error, “please validate payment info”. i get in the log this error

[16:49:28,466] ERROR guest - Stripe:Charge failed
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:450) ~[?:1.8.0_181]
at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(SSLProtocolSocketFactory.java:266) ~[commons-httpclient-3.1-atlassian-2.jar:?]
at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:124) ~[commons-httpclient-3.1-atlassian-2.jar:?]
at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:157) ~[commons-httpclient-3.1-atlassian-2.jar:?]
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) ~[commons-httpclient-3.1-atlassian-2.jar:?]
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) ~[commons-httpclient-3.1-atlassian-2.jar:?]
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) ~[commons-httpclient-3.1-atlassian-2.jar:?]
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) ~[commons-httpclient-3.1-atlassian-2.jar:?]
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) ~[commons-httpclient-3.1-atlassian-2.jar:?]
at com.ubnt.service.F.D.o00000(Unknown Source) [ace.jar:?]
at com.ubnt.service.F.D.o00000(Unknown Source) [ace.jar:?]
at com.ubnt.service.oOOO.classsuper.o00000(Unknown Source) [ace.jar:?]
at com.ubnt.service.oOOO.classsuper.o00000(Unknown Source) [ace.jar:?]
at com.ubnt.service.oOOO.classsuper.o00000(Unknown Source) [ace.jar:?]
at com.ubnt.ace.view.GuestServlet.service(Unknown Source) [ace.jar:?]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat-embed-websocket-8.5.34.jar:8.5.34]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) [tomcat-embed-core-8.5.34.jar:8.5.34]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-8.5.34.jar:8.5.34]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_181]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_181]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.5.34.jar:8.5.34]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]

i think Java don’t trust my LE cert, but i made a test at ssllabs.com, and i got the A rating.
i have JDK 1.8.0_180. on internet, every post said this version TRUST LE cert, but i think mine don’t trust it.

can you help me to solve this error ?

Thanks !


#2

did you use fullchain.pem or cert.pem? you will need fullchain.pem as I don’t think java caches intermediate certs.


#3

i think i used twice. i ran this script to import my cert to unifi controller
https://raw.githubusercontent.com/stevejenkins/unifi-linux-utils/master/unifi_ssl_import.sh


#4

The certificate chain looks fine on that server. It might be helpful to post to a Java-related or a Stripe-related forum for more information about this error, because I think the certificate and chain are totally correct and valid.