Page 1 of 1

Smart Client WebStart start issue - certificate check failed

PostPosted: Thu Oct 30, 2014 6:17 pm
by LXS
Hi there,

i've a SmartClient Webstart issue with two customers (different Servoy Servers).
Both called me today that they can't start their SmartClient after a restart anymore (and both already worked with the SmartClient today).
They get an error message from Java WebStart.
The message says, that the certificate can not be validated (see attachment).

- we use a Java Code Signing Certificate from GlobalSign, valid until 2017, signed the whole Servoy Server with it
- customers are using Mac OS X (10.9.3 and 10.10)
- Java Version: 1.6.0_43 and 1.6.0_65
- Servoy Versions: 5.2.15 and Servoy 3.5.x

Because both customers have this issue, i don't think it's a thing with their Servoy Servers or installed programs / firewalls.

Does anybody else have these problems until today?

Here is the stacktrace:

java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: OCSP response error: INTERNAL_ERROR
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(TrustDecider.java:715)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(AppPolicy.java:295)
at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(LaunchDownload.java:1851)
at com.sun.javaws.LaunchDownload.checkSignedResources(LaunchDownload.java:1527)
at com.sun.javaws.Launcher.prepareResources(Launcher.java:1283)
at com.sun.javaws.Launcher.prepareAllResources(Launcher.java:636)
at com.sun.javaws.Launcher.prepareToLaunch(Launcher.java:338)
at com.sun.javaws.Launcher.prepareToLaunch(Launcher.java:238)
at com.sun.javaws.Launcher.launch(Launcher.java:127)
at com.sun.javaws.Main.launchApp(Main.java:460)
at com.sun.javaws.Main.continueInSecureThread(Main.java:292)
at com.sun.javaws.Main$1.run(Main.java:125)
at java.lang.Thread.run(Thread.java:695)
Caused by: java.security.cert.CertPathValidatorException: OCSP response error: INTERNAL_ERROR
at sun.security.provider.certpath.OCSP.check(OCSP.java:222)
at sun.security.provider.certpath.OCSP.check(OCSP.java:120)
at com.sun.deploy.security.TrustDecider.doOCSPEEValidation(TrustDecider.java:1002)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(TrustDecider.java:696)
... 12 more

Thanks a lot!
Alex

Re: Smart Client WebStart start issue - certificate check fa

PostPosted: Mon Nov 03, 2014 11:43 am
by LXS
The issue has to do with the GlobalSign certificate.

When i sign the server new with an old (not GlobalSign) certificate, then everything works again.

Has nobody else problems with it?

Alex

Re: Smart Client WebStart start issue - certificate check fa

PostPosted: Mon Nov 03, 2014 8:55 pm
by Harjo
Today we had the same issue with one customer. All clients were still using Java 1.6. I updated them to Oracle Java 7 and tried even 8, and everything was working again

Re: Smart Client WebStart start issue - certificate check fa

PostPosted: Tue Nov 04, 2014 11:08 am
by LXS
Yes, with Java 7/8 there's no problem.
Some of our customers still use Servoy 5 and so it's no option to jump to Java 7 because of some issues.

Yesterday i contacted the GlobalSign Support and they gave me the clue to reimport the root certificate.
Don't know if it helps but i'll try today.
I let you know...

Alex

Re: Smart Client WebStart start issue - certificate check fa

PostPosted: Tue Nov 04, 2014 3:44 pm
by Harjo
yeah, I believe Apple updated the Java 1.6 in the background, that does break somehow the Globalsign certificate. I don't know if there is an option in the Java 1.6 control panel, to work-around this.

Re: Smart Client WebStart start issue - certificate check fa

PostPosted: Thu Nov 06, 2014 10:48 am
by rieder
Hi

We have the same problem. But only in our development environment:
OS X 10.9.5
Servoy 7.3.1
Java 1.6.0_65

Customers use Windows. We had no complaints. So far.

Regards
Birgit

Re: Smart Client WebStart start issue - certificate check fa

PostPosted: Thu Nov 06, 2014 10:57 am
by LXS
The strange thing is, since tuesday it works again without any changes on the certificate.
Don't know whats going on here...

@rieder: Appears the problem today on your Mac?

No problems on Windows so far as well.