El día de hoy , revisando los registros de log de mi glassfish encontre el siguiente error: SEC5054: Certificate has expired. En la Web encontre varios post que hablan de este mensaje y como solucionarlo. Vamos a intentalo en mi servidor…
Primero , el mensaje que aparece :
[#|2012-08-13T12:59:30.861-0500|SEVERE|oracle-glassfish3.1.1|javax.enterprise.system.ssl.security.com.sun.enterprise.security.ssl.impl|_Thr
eadID=23;_ThreadName=Thread-2;|SEC5054: Certificate has expired: [
[
Version: V1
Subject: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2
Key: SunPKCS11-Solaris RSA public key, 1000 bits (id 4344492960, session object)
modulus: 61447067692223798504301834056552358628701938134333619023095165347295471682292234420881288970904260258749909586244262720279157713
3004337907907626908277644312049652510945843743579397495714492319017265554627911279606663545554578630064774588835378100235941276611277541085
1780140804282673804950495744761467
public exponent: 65537
Validity: [From: Tue Nov 08 18:00:00 CST 1994,
To: Thu Jan 07 17:59:59 CST 2010]
Issuer: OU=Secure Server Certification Authority, O=”RSA Data Security, Inc.”, C=US
SerialNumber: [ 02ad667e 4e45fe5e 576f3c98 195eddc0]
]
Pero cómo se cual ha expirado? Pues resulta que en el directorio de mi instalación de glassfish (./glassfish/domains/domain1/config) encuentro los siguientes archivos:
-rw——- 1 root root 31K Feb 17 2010 cacerts.jks
-rw——- 1 root root 1.4K Feb 17 2010 keystore.jks
Analizo cada archivo hasta encontrar cual ha expirado:
keytool -list -v -keystore cacerts.jks
keytool -list -v -keystore keystore.jks
root@sapapp # keytool -list -v -keystore cacerts.jks|more
Enter keystore password: (el password por default es changeit)
Keystore type: jks
Keystore provider: SUN
Your keystore contains 34 entries
Alias name: equifaxsecureebusinessca1
Creation date: Jul 18, 2003
Entry type: trustedCertEntry
Owner: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
Issuer: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
Serial number: 4
Valid from: Sun Jun 20 23:00:00 CDT 1999 until: Sat Jun 20 23:00:00 CDT 2020
Certificate fingerprints:
MD5: 64:9C:EF:2E:44:FC:C6:8F:52:07:D0:51:73:8F:CB:3D
SHA1: DA:40:18:8B:91:89:A3:ED:EE:AE:DA:97:FE:2F:9D:F5:B7:D1:8A:41
*******************************************
*******************************************
Alias name: verisignclass1g3ca
Creation date: Mar 25, 2004
Entry type: trustedCertEntry
Resulta que el problematico es:
Alias name: verisignserverca
Creation date: Jun 29, 1998
Entry type: trustedCertEntry
Owner: OU=Secure Server Certification Authority, O=”RSA Data Security, Inc.”, C=US
Issuer: OU=Secure Server Certification Authority, O=”RSA Data Security, Inc.”, C=US
Serial number: 2ad667e4e45fe5e576f3c98195eddc0
Valid from: Tue Nov 08 18:00:00 CST 1994 until: Thu Jan 07 17:59:59 CST 2010
Certificate fingerprints:
MD5: 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93
SHA1: 44:63:C5:31:D7:CC:C1:00:67:94:61:2B:B6:56:D3:BF:82:57:84:6F
Verificamos de nuevo:
# keytool -list -v -alias verisignserverca -keystore cacerts.jks
Enter keystore password: changeit
Alias name: verisignserverca
Creation date: Jun 29, 1998
Entry type: trustedCertEntry
Owner: OU=Secure Server Certification Authority, O=”RSA Data Security, Inc.”, C=US
Issuer: OU=Secure Server Certification Authority, O=”RSA Data Security, Inc.”, C=US
Serial number: 2ad667e4e45fe5e576f3c98195eddc0
Valid from: Tue Nov 08 18:00:00 CST 1994 until: Thu Jan 07 17:59:59 CST 2010
Certificate fingerprints:
MD5: 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93
SHA1: 44:63:C5:31:D7:CC:C1:00:67:94:61:2B:B6:56:D3:BF:82:57:84:6F
Procedemos a borrar dicho registro
# keytool -list -v -alias verisignserverca -keystore cacerts.jks
Enter keystore password: changeit
Alias name: verisignserverca
Creation date: Jun 29, 1998
Entry type: trustedCertEntry
Owner: OU=Secure Server Certification Authority, O=”RSA Data Security, Inc.”, C=US
Issuer: OU=Secure Server Certification Authority, O=”RSA Data Security, Inc.”, C=US
Serial number: 2ad667e4e45fe5e576f3c98195eddc0
Valid from: Tue Nov 08 18:00:00 CST 1994 until: Thu Jan 07 17:59:59 CST 2010
Certificate fingerprints:
MD5: 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93
SHA1: 44:63:C5:31:D7:CC:C1:00:67:94:61:2B:B6:56:D3:BF:82:57:84:6F
# keytool -delete -v -alias verisignserverca -keystore cacerts.jks
Enter keystore password: changeit
[Storing cacerts.jks]
Validamos queya no este
# keytool -list -v -alias verisignserverca -keystore cacerts.jks
Enter keystore password: changeit
keytool error: java.lang.Exception: Alias
#
Ahora re-iniciamos nuestro glassfish
bin/asadmin stop-domain domain1 ; bin/asadmin start-domain domain1
listo!
Refencia: http://omadom.wordpress.com/2012/08/13/glassfish-error-sec5054-certificate-has-expired/
0 comentarios:
Publicar un comentario