Weasis
Weasis copied to clipboard
nroduit
javax.net.ssl.SSLHandshakeException
Hi, I'm moving from http to https on one of my servers and I'm getting this error on Weasis 3.7.1:
Error on loading the XML Manifest from https://<url to my https host> Server response:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path buildin...
The XML manifest is downloaded from an Apache2 server which has an Let's Encrypt SSL certificate installed and working without issues (tested with Firefox and Chrome). The only problem I'm experiencing is when Weasis tries to download it.
I can send you the full URL to debug.
This message tells you that the certificate is not trusted by Java. Like other Java applications, Weasis requires to have a real certificate with the root certificate authority in the JDK keystore embedded in Weasis.
The certificates Let's Encrypt are part of the list of authorities already in the keystore. We have several servers with these certificates where Weasis retrieves images in WADO or WADO-RS, see the Kheops demo.
Mm, I cannot use Kheops demo, I created a user, then when I try to login (with both Firefox or Chrome) I'm redirected to https://demo.kheops.online/oidc-callback-error
This message tells you that the certificate is not trusted by Java. Like other Java applications, Weasis requires to have a real certificate with the root certificate authority in the JDK keystore embedded in Weasis.
The certificates Let's Encrypt are part of the list of authorities already in the keystore. We have several servers with these certificates where Weasis retrieves images in WADO or WADO-RS, see the Kheops demo.
Is it possible to add a certificate to Weasis certificate store? Any chance we can use the Weasis protocol on an intranet using https? Otherwise it might be interesting to mention in the documentation that Weasis protocol does not support https using private SSL certificates (unless it is already specified, but I din't see it...). Using HTTP (instead of HTTPS) almost works like a charm... It raises "mixed active content" issue since site is using HTTPS... ;-|
Yes, this limitation is specified but the documentation should be updated once version 4 will be released (drop the Java Web Start support).
Form importing an auto-signed certificate see https://groups.google.com/g/dcm4che/c/wPOCR0czXeY/m/6iQjU0sXAAAJ
Thank you very much for your response Nicolas. Merry Xmas and happy new year to the Weasis Community
I think I stumbled upon a similar issue. It might be something related to the date and time of the server.
This time, in my server is Fri May 12 08:30:02, but the certificate is valid from Fri, 12 May 2023 12:43:49 GMT. I'll wait 30 minutes to see if that's the issue.
I think I stumbled upon a similar issue. It might be something related to the date and time of the server.
This time, in my server is Fri May 12 08:30:02, but the certificate is valid from Fri, 12 May 2023 12:43:49 GMT. I'll wait 30 minutes to see if that's the issue.
No, nothing related to the date. I'll re-generate the certificate.
I noticed the certificate directory (created by acme.sh) has the _ecc suffix. This is the first time I notice this, I'll take a look at acme.sh, maybe is a new kind of certificate.
Deleted acme.sh and downloaded the 3.0.4 version (as it works without issues in another server that uses this version), but I still get the same error.
I found the issue. I need to install the "fullchain" certificate. I don't know how I managed to install it in exactly the same configuration I do in all my customer's servers (all FreeBSD 13.1 with Apache24 and .acme.sh)...
Done!!!!. I hapens that acme.sh already created the fullchain.cer file in the certificate directory, then I added it to my Apache configuration using the SSLCertificateChainFile pointing to the full path of the fullchain.cert file.