I was able to “successfully” generate certs, but I haven’t been able to get a dropwizard instance to start up with it. When I inspect my cert.pem (or fullchain.pem) using java keytool, I see the following in extension #8, which looks suspicious to me:
#8: ObjectId: 2.5.29.32 Criticality=false Unparseable CertificatePolicies extension due to java.io.IOException: No data available in policyQualifiers
Has anyone run into this? This was in the cert given to me after running the client in standalone mode, without any exceptions being thrown.
That’s an interesting exception. I believe Java is in error here, and no policyQualifiers are required in a CertificatePolicy. However, I could be wrong.
LE contain under 2.5.29.32 their policy “http://cps.letsencrypt.org” and "This Certificate may only be relied upon by…"
So it is not empty and i use java too and have no problem with the cert for https://suche.org
FWIW, there’s a hex block that follows the error, and it does contain the url provided above, as well as a bit of non-ascii hex and the following statement:
“This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/”
This is different than what I see for 2.5.29.32 when I print out chain.pem:
This tells me that I’m able to parse a 2.5.29.32 object in at least some form.
Since this implies that there was something different (and maybe malformed) about my cert, I went ahead and regenerated it (just in case I had somehow corrupted it), but the new certs show exactly the same thing.
At this point I have no idea how to continue troubleshooting this issue. What are other steps I can take?
Hi first you can start with telling us what java version you are using.
And maybe post the stacktrace if you get any. Maybe you can
tell the serial number of the certificate than i can check it what i see.
No you have some java based software where you try to import the certificate.
These software have an problem with an valid certificate. So their support can help you.
Can you provide the exact Java command you are running? Or if it’s part of a larger application you are building, can you provide a minimal case to reproduce?
It’s possible Java doesn’t understand the UserNotice PolicyQualifier described at https://tools.ietf.org/html/rfc5280#page-34, which might explain why it gets as far as the CPS URL but fails on the next chunk.
Thanks. I was able to track this down: It looks like we insert an empty SEQUENCE after the 2.23.140.1.2.1 CertificatePolicy. I’ll work on fixing it. Thanks for reporting!