Java Certificate Block - but from which jar or app?

Questions, answers, tips and ideas on Servoy Client

Java Certificate Block - but from which jar or app?

Postby Bernd.N » Wed Jun 10, 2020 3:22 pm

Is it possible to find out which plugin or other app is causing the blocking that can be seen from the screenshot ?
(Java complains about an expired certificate)

Our usual plugins all have valid certificates.

When I open the complete tree in the "Code Signing Utility" from Patrick Talbot, all jars either have a "locked" symbol or a green symbol with a small s, meaning "signed with current certificate".
There is no jar in the complete tree that shows the symbol for "Signatur is expired or invalid"

It does not help to add our JNLP to the Java exception list for the specific user. In other cases, that helped.
Attachments
java_is_blocking_2.jpg
java_is_blocking_2.jpg (81.16 KiB) Viewed 3274 times
Bernd Korthaus
LinkedIn
Servoy 7.4.9 SC postgreSQL 9.4.11 Windows 10 Pro
User avatar
Bernd.N
 
Posts: 544
Joined: Mon Oct 21, 2013 5:57 pm
Location: Langenhorn, North Friesland, Germany

Re: Java Certificate Block - but from which jar or app?

Postby Bernd.N » Thu Jun 11, 2020 3:03 pm

I just got more information, but have to wait if this is already a final workaround for the problem for all installations.

It seemed to help to put only the first part of the complete JNLP-path into the exception list, without the JNLP-file itself.
So instead of

http://de1*******to.net:8080/servoy-client/b***.jnlp
we did put only the first part to the exception list:

http://de1********to.net:8080

According to this Java doc, that means that this is then the OK for all files below:

https://www.java.com/de/download/faq/exception_sitelist.xml

So any JAR on the Servoy Server that has a certificat problem seems to be accepted after that measure.

The Terminal Server had the Java Version 8 Update 144, I recommended to update to 8 Update 231
Bernd Korthaus
LinkedIn
Servoy 7.4.9 SC postgreSQL 9.4.11 Windows 10 Pro
User avatar
Bernd.N
 
Posts: 544
Joined: Mon Oct 21, 2013 5:57 pm
Location: Langenhorn, North Friesland, Germany

Re: Java Certificate Block - but from which jar or app?

Postby sbutler » Thu Jun 11, 2020 8:02 pm

Do you have your own code signing cert that you use or do you use them however they come signed?
If you have your own, download keystone explorer and inspect the key store. Look at each cert in the chain to make sure it didn't expire. https://keystore-explorer.org/
If you don't have your own code singing cert, then one of the third party certs may have expired. For example the IT2BE code singing cert we use had the Sectigo root expire so we released an update a few days ago with updated certs.
Scott Butler
iTech Professionals, Inc.
SAN Partner

Servoy Consulting & Development
Servoy University- Training Videos
Servoy Components- Plugins, Beans, and Web Components
Servoy Guy- Tips & Resources
ServoyForge- Open Source Components
User avatar
sbutler
Servoy Expert
 
Posts: 759
Joined: Sun Jan 08, 2006 7:15 am
Location: Cincinnati, OH

Re: Java Certificate Block - but from which jar or app?

Postby Bernd.N » Fri Jun 12, 2020 10:44 am

Thank you for your tip, I will try to do so.

What I really find strange is that only very few users are affected.
Normally, it's "Computer says NO!" in all cases when a certificate is wrong.

And as a quick workaround, I do not know which path I should store to the Java Exception list.
All our plugins are below
D:\servoy_new\application_server

Does someone know how to access this very path when the server name on the company network is something like
http://de19axxx.aaa.bbb.net
Bernd Korthaus
LinkedIn
Servoy 7.4.9 SC postgreSQL 9.4.11 Windows 10 Pro
User avatar
Bernd.N
 
Posts: 544
Joined: Mon Oct 21, 2013 5:57 pm
Location: Langenhorn, North Friesland, Germany

Re: Java Certificate Block - but from which jar or app?

Postby Bernd.N » Fri Jun 12, 2020 3:43 pm

I just got a hint from Johan to shut down the server first.
After that, I could look again for the complete JAR tree in the Code Signing Utility (after restart of that tool), and actually detected two not properly signed JARs.
Bernd Korthaus
LinkedIn
Servoy 7.4.9 SC postgreSQL 9.4.11 Windows 10 Pro
User avatar
Bernd.N
 
Posts: 544
Joined: Mon Oct 21, 2013 5:57 pm
Location: Langenhorn, North Friesland, Germany

Re: Java Certificate Block - but from which jar or app?

Postby kwpsd » Fri Jun 12, 2020 6:57 pm

I know this is after the fact, but I want to mention it for others...

Whenever you run the Code Signer utility, the yellow/gold 'locked' icon indicates that the certificates cannot be accessed, because the Servoy server is running. To fully use Code Signer, you must first stop the Servoy server service, run Code Signer as needed, then re-start the Servoy server. I am not certain this is stated in the Code Signer manual...we learned this the hard way.
Kim W. Premuda
San Diego, CA USA
User avatar
kwpsd
 
Posts: 687
Joined: Sat Jul 28, 2007 6:59 pm
Location: San Diego, CA USA


Return to Servoy Client

Who is online

Users browsing this forum: No registered users and 9 guests