omadom

Inicio » Tecnologia » Glassfish – Error SEC5054: Certificate has expired

Glassfish – Error SEC5054: Certificate has expired

El día de hoy , revisando los registros de log de mi glassfish encontre el siguiente error: SEC5054: Certificate has expired. En la Web encontre varios post que hablan de este mensaje y como solucionarlo. Vamos a intentalo en mi servidor…

Primero , el mensaje que aparece :

[#|2012-08-13T12:59:30.861-0500|SEVERE|oracle-glassfish3.1.1|javax.enterprise.system.ssl.security.com.sun.enterprise.security.ssl.impl|_Thr
eadID=23;_ThreadName=Thread-2;|SEC5054: Certificate has expired: [
[
Version: V1
Subject: OU=Secure Server Certification Authority, O=»RSA Data Security, Inc.», C=US
Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2

Key:  SunPKCS11-Solaris RSA public key, 1000 bits (id 4344492960, session object)
modulus: 61447067692223798504301834056552358628701938134333619023095165347295471682292234420881288970904260258749909586244262720279157713
3004337907907626908277644312049652510945843743579397495714492319017265554627911279606663545554578630064774588835378100235941276611277541085
1780140804282673804950495744761467
public exponent: 65537
Validity: [From: Tue Nov 08 18:00:00 CST 1994,
To: Thu Jan 07 17:59:59 CST 2010]
Issuer: OU=Secure Server Certification Authority, O=»RSA Data Security, Inc.», C=US
SerialNumber: [    02ad667e 4e45fe5e 576f3c98 195eddc0]

]

Pero cómo se cual ha expirado? Pues resulta que en el directorio de mi instalación de glassfish (./glassfish/domains/domain1/config) encuentro los siguientes archivos:

-rw——-   1 root     root         31K Feb 17  2010 cacerts.jks
-rw——-   1 root     root        1.4K Feb 17  2010 keystore.jks

Analizo cada archivo hasta encontrar cual ha expirado:

keytool -list -v  -keystore cacerts.jks

keytool -list -v  -keystore keystore.jks

root@sapapp # keytool -list -v  -keystore cacerts.jks|more
Enter keystore password: (el password  por default es changeit)
Keystore type: jks
Keystore provider: SUN

Your keystore contains 34 entries

Alias name: equifaxsecureebusinessca1
Creation date: Jul 18, 2003
Entry type: trustedCertEntry

Owner: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
Issuer: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
Serial number: 4
Valid from: Sun Jun 20 23:00:00 CDT 1999 until: Sat Jun 20 23:00:00 CDT 2020
Certificate fingerprints:
MD5:  64:9C:EF:2E:44:FC:C6:8F:52:07:D0:51:73:8F:CB:3D
SHA1: DA:40:18:8B:91:89:A3:ED:EE:AE:DA:97:FE:2F:9D:F5:B7:D1:8A:41

*******************************************
*******************************************

Alias name: verisignclass1g3ca
Creation date: Mar 25, 2004
Entry type: trustedCertEntry

Resulta que el problematico es:

Alias name: verisignserverca
Creation date: Jun 29, 1998
Entry type: trustedCertEntry

Owner: OU=Secure Server Certification Authority, O=»RSA Data Security, Inc.», C=US
Issuer: OU=Secure Server Certification Authority, O=»RSA Data Security, Inc.», C=US
Serial number: 2ad667e4e45fe5e576f3c98195eddc0
Valid from: Tue Nov 08 18:00:00 CST 1994 until: Thu Jan 07 17:59:59 CST 2010
Certificate fingerprints:
MD5:  74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93
SHA1: 44:63:C5:31:D7:CC:C1:00:67:94:61:2B:B6:56:D3:BF:82:57:84:6F

Verificamos de nuevo:

# keytool -list -v  -alias verisignserverca -keystore  cacerts.jks
Enter keystore password:  changeit
Alias name: verisignserverca
Creation date: Jun 29, 1998
Entry type: trustedCertEntry

Owner: OU=Secure Server Certification Authority, O=»RSA Data Security, Inc.», C=US
Issuer: OU=Secure Server Certification Authority, O=»RSA Data Security, Inc.», C=US
Serial number: 2ad667e4e45fe5e576f3c98195eddc0
Valid from: Tue Nov 08 18:00:00 CST 1994 until: Thu Jan 07 17:59:59 CST 2010
Certificate fingerprints:
MD5:  74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93
SHA1: 44:63:C5:31:D7:CC:C1:00:67:94:61:2B:B6:56:D3:BF:82:57:84:6F

Procedemos a borrar dicho registro

# keytool -list -v  -alias  verisignserverca -keystore  cacerts.jks
Enter keystore password:  changeit
Alias name: verisignserverca
Creation date: Jun 29, 1998
Entry type: trustedCertEntry

Owner: OU=Secure Server Certification Authority, O=»RSA Data Security, Inc.», C=US
Issuer: OU=Secure Server Certification Authority, O=»RSA Data Security, Inc.», C=US
Serial number: 2ad667e4e45fe5e576f3c98195eddc0
Valid from: Tue Nov 08 18:00:00 CST 1994 until: Thu Jan 07 17:59:59 CST 2010
Certificate fingerprints:
MD5:  74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93
SHA1: 44:63:C5:31:D7:CC:C1:00:67:94:61:2B:B6:56:D3:BF:82:57:84:6F
# keytool -delete  -v  -alias  verisignserverca -keystore  cacerts.jks
Enter keystore password:  changeit
[Storing cacerts.jks]

Validamos queya no este
# keytool -list  -v  -alias  verisignserverca -keystore  cacerts.jks
Enter keystore password:  changeit
keytool error: java.lang.Exception: Alias <verisignserverca> does not exist
#

Ahora  re-iniciamos nuestro glassfish

bin/asadmin stop-domain domain1 ; bin/asadmin start-domain domain1

listo!

Por en Tecnologia el .

Deja un comentario