4 MINDS

4MINDS Gestão de Conhecimento

Java HTTP request fails with “javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated”


Vou clonar aqui um post de blog de um camarada só pra ter mais uma fonte, pra resolver o problema:

Java HTTP request fails with “javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated”

https://davidjb.com/blog/2012/02/java-http-request-fails-with-javax-net-ssl-sslpeerunverifiedexception-peer-not-authenticated/#:~:text=net.,SSLPeerUnverifiedException%3A%20peer%20not%20authenticated%E2%80%9D&text=The%20reason%20the%20error%20is,by%20your%20Java%20instance's%20keystore.

Searching the above-mentioned stack trace reveals lots and lots of results, unsurprisingly.  Most results are workarounds where you modify the code, but what about if an application (like Jenkins/Hudson CI, in my case) throws this error at you? The reason the error is occurring is because the SSL certificate of the target you’re connecting to isn’t considered valid by your Java instance’s keystore. This may be because the certificate itself is invalid, or, in my case, the CA chain couldn’t be validated (my OS is RHEL (Red Hat) 5.7, with OpenJDK 1.6).  For completeness, I should also mention that the issue here arose when I asked Jenkins CI to use GitHub OAuth. As GitHub’s SSL certificate has been signed by DigiCert, and this isn’t included within RHEL 5.7, the error arises.  A solution is, assuming you trust the cert or the CA, to add the relevant certificates/root certificates to your Java keystore.

To do so, get your relevant certificates/root certificates, locate your keystore, and add them accordingly:

Link para certificado do Sectigo:

https://www.ssls.com/knowledgebase/wp-content/uploads/2019/09/SectigoRSADV_SHA2.zip

wget https://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt
wget https://www.digicert.com/testroot/DigiCertHighAssuranceEVRootCA.crt
keytool -importcert -storepass changeit -keystore /etc/alternatives/java_sdk/jre/lib/security/cacerts -alias digicertevrootca -file DigiCertHighAssuranceEVRootCA.crt
keytool -importcert -storepass changeit -keystore /etc/alternatives/java_sdk/jre/lib/security/cacerts -alias digicertevca1 -file DigiCertHighAssuranceEVCA-1.crt