Home/ Questions/Q 7949251
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T01:56:37+00:00

I have a grails application that attempts to use OpenID4Java to authenticate with our

  • 0

I have a grails application that attempts to use OpenID4Java to authenticate with our own OpenID provider.

The certificate our provider presents is from RapidSSL has been signed by GeoTrust Global.

Browsers accept the certificate automatically.

I’m on a Mac and attempting to add the GeoTrustGlobalCA to cacerts at /Library/Java/Home/lib/security/cacerts results in the prompt Certificate already exists in keystore under alias <keychainrootca-132> I added it again anyway.

Starting grails within STS with -Djavax.net.debug=ssl run-app -https

I can find the following in the output;

adding as trusted cert:
  Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Issuer:  CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Algorithm: RSA; Serial number: 0x23456
  Valid from Tue May 21 14:00:00 EST 2002 until Sat May 21 14:00:00 EST 2022

adding as trusted cert:
  Subject: CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US
  Issuer:  CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US
  Algorithm: RSA; Serial number: 0x18acb56afd69b6153a636cafdafac4a1
  Valid from Mon Nov 27 11:00:00 EST 2006 until Thu Jul 17 09:59:59 EST 2036

However attempting to access the service from the application results in;

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
  at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
  at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
  at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:339)
  at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:123)
  at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:147)
  at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:101)
  at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:381)
  at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
  at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
  at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554)
  at org.openid4java.util.HttpCache.head(HttpCache.java:335)
  at org.openid4java.discovery.yadis.YadisResolver.retrieveXrdsLocation(YadisResolver.java:400)
  at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:248)
  at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:232)
  at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:166)
  at org.openid4java.discovery.Discovery.discover(Discovery.java:147)
  at org.openid4java.discovery.Discovery.discover(Discovery.java:129)
  at org.openid4java.consumer.ConsumerManager.discover(ConsumerManager.java:542)
  at org.openid4java.consumer.ConsumerManager$discover.call(Unknown Source)
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    We resolved the issue with an additional Apache directive along the lines of

    SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt

    It seems that we needed an intermediate CA entry because of who our issuer was.

    • 0