[GLASSFISH-20764] Remove GTE CyberTrust Solutions's expired certificate from CA DB Created: 15/Aug/13  Updated: 03/Jun/14  Resolved: 20/May/14

Status: Closed
Project: glassfish
Component/s: security
Affects Version/s: 3.1.2.2, 4.0
Fix Version/s: None

Type: Bug Priority: Blocker
Reporter: Jay Xu Assignee: Nithya Ramakrishnan
Resolution: Duplicate Votes: 9
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Linux 3.8.0-28-generic
OpenJDK Runtime Environment (IcedTea 2.3.10) (7u25-2.3.10-1ubuntu0.13.04.2)


Tags: 4_0_1-mustfix

 Description   

GTE CyberTrust Solutions's certificate expires this morning, which blocks GF's startup, pls remove it from CA DB

Exception log:

[#|2013-08-15T18:00:09.314+0800|SEVERE|oracle-glassfish3.1.2|javax.enterprise.system.ssl.security.com.sun.enterprise.security.ssl.impl|_ThreadID=5422;_ThreadName=Thread-3;|SEC5054: Certificate has expired: [
[
Version: V3
Subject: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key: Sun RSA public key, 2048 bits
modulus: 23741889829347261660812437366387754385443431973861114865490414153884050331745811968523116847625570146592736935209718565296053386842135985534863157983128812774162998053673746470782252407673402238146869994438729551246768368782318393878374421033907597162218758024581735139682087126982809511479059100617027892880227587855877479432885604404402435662802390484099065871430585284534529627347717530352189612077130606642676951640071336717026459037542552927905851171460589361570392199748753414855675665635003335769915908187224347232807336022456537328962095005323382940080676931822787496212635993279098588863972868266229522169377
public exponent: 65537
Validity: [From: Fri Aug 14 22:50:00 CST 1998,
To: Thu Aug 15 07:59:00 CST 2013]
Issuer: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
SerialNumber: [ 01b6]

Certificate Extensions: 4
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:5
]

[2]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.2.840.113763.1.2.1.3]
[] ]
]

[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]

[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 76 0A 49 21 38 4C 9F DE F8 C4 49 C7 71 71 91 9D v.I!8L....I.qq..
]
]

]
Algorithm: [SHA1withRSA]
Signature:
0000: 41 3A D4 18 5B DA B8 DE 21 1C E1 8E 09 E5 F1 68 A:..[...!......h
0010: 34 FF DE 96 F4 07 F5 A7 3C F3 AC 4A B1 9B FA 92 4.......<..J....
0020: FA 9B ED E6 32 21 AA 4A 76 C5 DC 4F 38 E5 DF D5 ....2!.Jv..O8...
0030: 86 E4 D5 C8 76 7D 98 D7 B1 CD 8F 4D B5 91 23 6C ....v......M..#l
0040: 8B 8A EB EA 7C EF 14 94 C4 C6 F0 1F 4A 2D 32 71 ............J-2q
0050: 63 2B 63 91 26 02 09 B6 80 1D ED E2 CC B8 7F DB c+c.&...........
0060: 87 63 C8 E1 D0 6C 26 B1 35 1D 40 66 10 1B CD 95 .c...l&.5.@f....
0070: 54 18 33 61 EC 13 4F DA 13 F7 99 AF 3E D0 CF 8E T.3a..O.....>...
0080: A6 72 A2 B3 C3 05 9A C9 27 7D 92 CC 7E 52 8D B3 .r......'....R..
0090: AB 70 6D 9E 89 9F 4D EB 1A 75 C2 98 AA D5 02 16 .pm...M..u......
00A0: D7 0C 8A BF 25 E4 EB 2D BC 98 E9 58 38 19 7C B9 ....%..-...X8...
00B0: 37 FE DB E2 99 08 73 06 C7 97 83 6A 7D 10 01 2F 7.....s....j.../
00C0: 32 B9 17 05 4A 65 E6 2F CE BE 5E 53 A6 82 E9 9A 2...Je./..^S....
00D0: 53 0A 84 74 2D 83 CA C8 94 16 76 5F 94 61 28 F0 S..t-.....v_.a(.
00E0: 85 A7 39 BB D7 8B D9 A8 B2 13 1D 54 09 34 24 7D ..9........T.4$.
00F0: 20 81 7D 66 7E A2 90 74 5C 10 C6 BD EC AB 1B C2 ..f...t\.......

]|#]



 Comments   
Comment by zeto [ 28/Aug/13 ]

To remove the "GTE Cybertrust Solutions" certificate from cacerts.jks file of your domain you can use the keytool:
keytool -delete -alias gtecybertrust5ca -keystore cacerts.jks

See also:
http://stackoverflow.com/questions/18248020/certificate-has-expired-in-log-by-starting-glassfish-3-1-2/18249719#18249719

Comment by Tim Quinn [ 28/Aug/13 ]

Kyle noticed this message appearing in the CTS tests for 4.0 when running an app client. (The command line specified truststore-related properties.) The tests succeed as expected anyway, but the same message is showing up in the output.

I've updated the affected-versions list accordingly. Note that for Kyle and me both the 4.0 server started successfully.

Comment by dzusik12 [ 27/Sep/13 ]

Reinstall glassfish and it works then.

//edit: after some runs, it not works again.

//edit2: this is partly solution for the time, until glassfish developers will repair server
http://download.jboss.org/jbossas/7.1/jboss-as-7.1.1.Final/jboss-as-7.1.1.Final.zip

Comment by Ed Bratt [ 20/May/14 ]

Jeff, this has been marked Must Fix for 4.0.1. Please evaluate.

Comment by Nithya Ramakrishnan [ 20/May/14 ]

This issue has already been fixed in revision 63173.
This is a duplicate of GLASSFISH-21025

Generated at Wed Jan 25 00:35:20 UTC 2017 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.