Smart Client WebStart start issue - certificate check failed

Classic Servoy
1

Hi there,

i’ve a SmartClient Webstart issue with two customers (different Servoy Servers).
Both called me today that they can’t start their SmartClient after a restart anymore (and both already worked with the SmartClient today).
They get an error message from Java WebStart.
The message says, that the certificate can not be validated (see attachment).

  • we use a Java Code Signing Certificate from GlobalSign, valid until 2017, signed the whole Servoy Server with it
  • customers are using Mac OS X (10.9.3 and 10.10)
  • Java Version: 1.6.0_43 and 1.6.0_65
  • Servoy Versions: 5.2.15 and Servoy 3.5.x

Because both customers have this issue, i don’t think it’s a thing with their Servoy Servers or installed programs / firewalls.

Does anybody else have these problems until today?

Here is the stacktrace:

java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: OCSP response error: INTERNAL_ERROR
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(TrustDecider.java:715)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(AppPolicy.java:295)
at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(LaunchDownload.java:1851)
at com.sun.javaws.LaunchDownload.checkSignedResources(LaunchDownload.java:1527)
at com.sun.javaws.Launcher.prepareResources(Launcher.java:1283)
at com.sun.javaws.Launcher.prepareAllResources(Launcher.java:636)
at com.sun.javaws.Launcher.prepareToLaunch(Launcher.java:338)
at com.sun.javaws.Launcher.prepareToLaunch(Launcher.java:238)
at com.sun.javaws.Launcher.launch(Launcher.java:127)
at com.sun.javaws.Main.launchApp(Main.java:460)
at com.sun.javaws.Main.continueInSecureThread(Main.java:292)
at com.sun.javaws.Main$1.run(Main.java:125)
at java.lang.Thread.run(Thread.java:695)
Caused by: java.security.cert.CertPathValidatorException: OCSP response error: INTERNAL_ERROR
at sun.security.provider.certpath.OCSP.check(OCSP.java:222)
at sun.security.provider.certpath.OCSP.check(OCSP.java:120)
at com.sun.deploy.security.TrustDecider.doOCSPEEValidation(TrustDecider.java:1002)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(TrustDecider.java:696)
… 12 more

Thanks a lot!
Alex

error.PNG
error.PNG773×680 184 KB

2

The issue has to do with the GlobalSign certificate.

When i sign the server new with an old (not GlobalSign) certificate, then everything works again.

Has nobody else problems with it?

Alex

3

Today we had the same issue with one customer. All clients were still using Java 1.6. I updated them to Oracle Java 7 and tried even 8, and everything was working again

4

Yes, with Java 7/8 there’s no problem.
Some of our customers still use Servoy 5 and so it’s no option to jump to Java 7 because of some issues.

Yesterday i contacted the GlobalSign Support and they gave me the clue to reimport the root certificate.
Don’t know if it helps but i’ll try today.
I let you know…

Alex

5

yeah, I believe Apple updated the Java 1.6 in the background, that does break somehow the Globalsign certificate. I don’t know if there is an option in the Java 1.6 control panel, to work-around this.

6

Hi

We have the same problem. But only in our development environment:
OS X 10.9.5
Servoy 7.3.1
Java 1.6.0_65

Customers use Windows. We had no complaints. So far.

Regards
Birgit

7

The strange thing is, since tuesday it works again without any changes on the certificate.
Don’t know whats going on here…

@rieder: Appears the problem today on your Mac?

No problems on Windows so far as well.