Unable to verify first certificate using sun java system application server

Osanchez · August 17, 2023, 1:39am

My domain is:
*.pontevix.co

I ran this command:

certbot certonly \
  --non-interactive \
  --agree-tos \
  --email omar.sa..... \
  --preferred-challenges dns \
  --authenticator dns-porkbun \
  --dns-porkbun-key <my-porkbun-api-key> \
  --dns-porkbun-secret <myporkbun-api-secret> \
  --dns-porkbun-propagation-seconds 60 \
  --key-type rsa
  -d "*.pontevix.co"

It produced this output:

This was awhile ago so not sure what to add here. the certificates were generated on the webserver for pontevix.co, but my api is hosted on a different server using a java application (https java sun server) on specific port that is accessible at play.pontevix.co.

pontevix@localhost:~$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: pontevix.co
Serial Number: .........
Key Type: RSA
Domains: *.pontevix.co pontevix.co
Expiry Date: 2023-11-14 00:48:51+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/pontevix.co/fullchain.pem
Private Key Path: /etc/letsencrypt/live/pontevix.co/privkey.pem

My web server is (include version):
Ubuntu 20 (Webserver)
java 17, package com.sun.net.httpserver (API Server)

My hosting provider, if applicable, is:
Linode (Webserver)
Novonode (API Server)

I can login to a root shell on my machine (yes or no, or I don't know):
yes (Webserver)
no (API Server)

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The only thing I have access to are ports that I can open publicly

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
The certificates were generated on the webserver
certbot 2.6.0

This is what I am not understanding. The API is reachable on chrome, but not through a python request coming from the webserver. postman is another place it is not working. this page should be reachable with a simple get request.

python version 3.9.16
certifi 2023.5.7

More Information:

I have tried fullchain.pem and cert.pem as my certificate with no luck. private key is privkey.pem

I can show the java code if requested

MikeMcQ · August 17, 2023, 2:29am

I can explain a little of what you see but I don't know java server coding well enough to advise. You might be better off asking on a programming forum.

But, as for why Chrome works and others fail ...

Your Java server is only sending a leaf certificate.

Chrome has likely seen and cached the intermediate so can authenticate the cert. Browsers work very hard to adapt to wrongly configured servers.

You can see the "raw" cert your server sends with a tool like below.

If using the java keystore make sure you converted the fullchain.pem properly

webprofusion · August 17, 2023, 3:39am

You should probably use the fullchain.pem instead of just the cert.pem and then check the chain being served as @MikeMcQ has suggested.

Different apps can trust different chains, this is because some things use their own "trust store" of CA certificates they trust, and they also have different rules as to what to trust.

The default chain acquired by certbot is usually the expired DST Root CA X3 (which going away eventually but was retained mainly for old Android compatibility) and you can force it to try to use the modern chain by setting the certbot --preferred-chain option to "ISRG Root X1" and re-requesting your certificate.

Osanchez · August 17, 2023, 6:18am

ran the following command


pontevix@localhost:~$ sudo certbot renew --cert-name pontevix.co --force-renewal --preferred-chain "ISRG Root X1"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/pontevix.co.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for *.pontevix.co and pontevix.co
Hook 'deploy-hook' ran with output:
 Performing upload action
 Updated file: /etc/letsencrypt/live/pontevix.co/privkey.pem
 Updated file: /etc/letsencrypt/live/pontevix.co/chain.pem
 Updated file: /etc/letsencrypt/live/pontevix.co/cert.pem
 Updated file: /etc/letsencrypt/live/pontevix.co/README
 Updated file: /etc/letsencrypt/live/pontevix.co/fullchain.pem

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
  /etc/letsencrypt/live/pontevix.co/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

After this ran, I updated the java server to use fullchain.pem

the tool above was run on my server (https://decoder.link/sslchecker/play.pontevix.co/25572) and I see an error saying "The chain doesn't contain any intermediate certificates".

Both answers were super helpful, and in my case the issue was with my java code. After reviewing my code to create the key store I noticed I was only adding the first certificate from the chain to my store. after some modification it now adds all the cert files.

system · September 16, 2023, 6:19am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SSL Error: Unable to verify the first certificate Help	4	3131	December 23, 2020
Certbot not working on Ubuntu server with apache2 Help	7	58	March 12, 2025
TLS-SNI-01 validation is reaching end-of-life Help	11	4047	February 17, 2019
Apache2 Letsencrypt cert says invalid domain Help	5	223	July 23, 2024
Certbot failed to authenticate some domains (java web) Help	6	559	June 28, 2023

Unable to verify first certificate using sun java system application server

Related topics