Ĩesky | english
Back to Support, Documents
Validation with Java Webstart App
Issue
Since a few weeks I have a problem with my CAcert signed Java Webstart App.
The validation process breaks and it is not possible to start it. I checked and renewed all my certificated but it does not help. And in the log is named a date 08/24/2021 that is nowhere in my certificate. Could it be, that the validation service at cacert.org needs an certification update?
java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Responder's certificate not within the validity period at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source) at com.sun.deploy.security.RevocationChecker.check(Unknown Source) at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source) at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source) at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source) at com.sun.deploy.security.TrustDecider.isAllPermissionGrantedInt(Unknown Source) at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source) at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source) at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source) at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source) at com.sun.javaws.Launcher.prepareResources(Unknown Source) at com.sun.javaws.Launcher.prepareAllResources(Unknown Source) at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source) at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source) at com.sun.javaws.Launcher.launch(Unknown Source) at com.sun.javaws.Main.launchApp(Unknown Source) at com.sun.javaws.Main.continueInSecureThread(Unknown Source) at com.sun.javaws.Main.access$000(Unknown Source) at com.sun.javaws.Main$1.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Suppressed: com.sun.deploy.security.RevocationChecker $StatusUnknownException: sun.security.provider.certpath.PKIX $CertStoreTypeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Responder's certificate not within the validity period at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source) ... 19 more Caused by: sun.security.provider.certpath.PKIX$CertStoreTypeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Responder's certificate not within the validity period at sun.security.provider.certpath.URICertStore.engineGetCRLs(Unknown Source) at java.security.cert.CertStore.getCRLs(Unknown Source) at sun.security.provider.certpath.DistributionPointFetcher.getCRL(Unknown Source) at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(Unknown Source) at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(Unknown Source) at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(Unknown Source) at com.sun.deploy.security.RevocationChecker$3.run(Unknown Source) at com.sun.deploy.security.RevocationChecker$3.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at com.sun.deploy.security.RevocationChecker.getCRLsPrivileged(Unknown Source) ... 20 more Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Responder's certificate not within the validity period at sun.security.ssl.Alert.createSSLException(Unknown Source) at sun.security.ssl.TransportContext.fatal(Unknown Source) at sun.security.ssl.TransportContext.fatal(Unknown Source) at sun.security.ssl.TransportContext.fatal(Unknown Source) at sun.security.ssl.CertificateMessage $T12CertificateConsumer.checkServerCerts(Unknown Source) at sun.security.ssl.CertificateMessage $T12CertificateConsumer.onCertificate(Unknown Source) at sun.security.ssl.CertificateMessage $T12CertificateConsumer.consume(Unknown Source) at sun.security.ssl.SSLHandshake.consume(Unknown Source) at sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at sun.security.ssl.TransportContext.dispatch(Unknown Source) at sun.security.ssl.SSLTransport.decode(Unknown Source) at sun.security.ssl.SSLSocketImpl.decode(Unknown Source) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.access $200(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at java.security.AccessController.doPrivilegedWithCombiner(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) ... 30 more Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Responder's certificate not within the validity period at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source) at com.sun.deploy.security.RevocationChecker.check(Unknown Source) at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source) at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source) at com.sun.deploy.security.RevocationCheckHelper.checkRevocationStatus(Unknown Source) at com.sun.deploy.security.X509TrustManagerDelegate.checkTrusted(Unknown Source) at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate.checkServerTrusted(Unknown Source) at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted(Unknown Source) ... 52 more Suppressed: com.sun.deploy.security.RevocationChecker $StatusUnknownException at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source) ... 59 more Caused by: java.security.cert.CertPathValidatorException: Responder's certificate not within the validity period at sun.security.provider.certpath.OCSPResponse.verify(Unknown Source) at sun.security.provider.certpath.OCSP.check(Unknown Source) at sun.security.provider.certpath.OCSP.check(Unknown Source) at com.sun.deploy.security.RevocationChecker$2.run(Unknown Source) at com.sun.deploy.security.RevocationChecker$2.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at com.sun.deploy.security.RevocationChecker.doPrivilegedOCSPCheck(Unknown Source) ... 60 more Caused by: java.security.cert.CertificateExpiredException: NotAfter: Tue Aug 24 16:12:48 CEST 2021 at sun.security.x509.CertificateValidity.valid(Unknown Source) at sun.security.x509.X509CertImpl.checkValidity(Unknown Source) ... 67 more Caused by: java.security.cert.CertPathValidatorException: Responder's certificate not within the validity period at sun.security.provider.certpath.OCSPResponse.verify(Unknown Source) at sun.security.provider.certpath.OCSP.check(Unknown Source) at sun.security.provider.certpath.OCSP.check(Unknown Source) at com.sun.deploy.security.RevocationChecker$2.run(Unknown Source) at com.sun.deploy.security.RevocationChecker$2.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at com.sun.deploy.security.RevocationChecker.doPrivilegedOCSPCheck(Unknown Source) ... 20 more Caused by: java.security.cert.CertificateExpiredException: NotAfter: Tue Aug 24 16:12:48 CEST 2021 at sun.security.x509.CertificateValidity.valid(Unknown Source) at sun.security.x509.X509CertImpl.checkValidity(Unknown Source) ... 27 more
Step 1
The words (Unknown Source) may lead to uninstalled or expired CAcert roots in the computer OS (Sun?) which validates certificates. The renewal of the CAcert's Class 3 Root ser. # 00000E to 14E228 was indeed necessary since AFAIK May 20, 2021. Please check. The new Class 3 is published on the page https://www.cacert.org/index.php?id=3.
I am also afraid there are program systems or operation systems which reject CAcert certs intentionally.
Neither ocsp.cacert.org nor www.cacert.org have a cert expiring Tue Aug 24 16:12:48 CEST 2021.
Please do not hesitate to send us some more details about the validation process. Is it performed on your local system, or somwhere in the cloud?
More information
Yes exactly, I had seen that the intermediate certificate expired in May. And I changed everywhere, but that was not the problem. The message "Responder's certificate not within the validity period" is shown because the service on CaCert side is expired in August. I am not the specialist for the Sun Java libs, but I think the validation process will contact a special service on CaCert side to do so. And yes, I think Java WebStart will check it via OCSP. My problem is, I can not see the address and port anywhere which WebStart will use to contact.
Are you sure that all running services on all servers for validation are updated and no certificate expiring 24.8.2021? May be the validation from Germany is rootet an other way to an different server?
Step 2
Despite what my utility has reported: I've seen an internal message today, saying that the OCSP has the expired cert since AUGUST (not the web server itself's cert, I suppose), and that that cert will be renewed TODAY.
According to my knowledges, to perform the validity check, your system has to assemble the certificate chain up to CA's root cert, all certs must be valid. With CAcert, these are: your cert, probably Class 3 Root cert, and Class 1 Root cert. The validity of your cert comes from the expiration date, AND the information whether or not the certificate is revoked. The last test is performed via the OCSP server. In your case, the OCSP's response was not valid. Now (or tomorrow) it should be valid again.
So the error was not on your side. We are sorry.
Solution
perfect. It is working directly. Everything is well. Many thanks for your support!
Testing tool
BTW: do you know about an tool to test such behavior? The problem is, that the standard Java message is not really significant and I checked and tried a few hours before I contacted you.
Answer
I have the EAS_MD application (Exchange Active Sync _ Mobility Dojo) application for Exchange servers test primarily, but it can also read and present the webserver's certificate, and its chain.
For the (possibly) better, more sophisticated OCSP server test try to read: OCSP Client Tool - PKI Extensions (sysadmins.lv).
DN/AK 2021