Hello, Note that asking whether you trust a site and actually being able to establish a secure connection to that site are two different things.
<oXygen/> first asked whether I wanted to allow and trust the site This is indeed Oxygen asking if you will allow opening a resource from a website that is not listed in its trusted hosts (Options > Preferences, Network Connection Settings > Trusted Hosts)
Cannot open the specified file. There was a problem establishing the secure HTTPS connection. In case the server you are trying to connect to uses self-signed certificates, read the 'Troubleshooting HTTPS' section from the user manual. Full error message: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: *unable to find valid certification path to requested target* Oxygen is a Java application and this is the underlying Java HTTPS/SSL
and when I told it that I did, <oXygen/> refused to load it, telling me that: protocol saying it cannot verify the certificate used by the site and thus cannot establish a secure connection. The most common problem in such cases is that the HTTPS server either uses a self signed certificate or is not correctly configured in that it only provides the certificate itself (which may be issued by an authority), but without the intermediate certificate (or chain of certificates) up to the trusted root certificate of the authority. Web browsers sometimes have the intermediate certificate in their trusted keystore, but Java doesn't.
When I browse my Keychain (under System Roots -> Certificates) I see "DST Root CA X3", and nothing else that comes close to matching what I see when I view the certificate in Chrome. I was notified that "Certificate already exists in system-wide CA keystore under alias <identrustdstx3> Since you mention that is says the certificate already exists, the root isn't the certificate that is missing, it's most likely an intermediate certificate that is missing.
You can check the site in question with an online SSL test tool like https://www.ssllabs.com/ssltest/ Look for "Chain issues" in the report and look for Java 8 in the list of "Handshake Simulation". Anyway, on macOS it's a somewhat difficult process to actually import the site certificate to the Java trusted keystore. A simple workaround is to check the option "Automatically accept a security certificate, even if invalid" from "Options > Preferences, Network Connection Settings / HTTP(S)/WebDAV". Please note that this is a global option, so this applies to all sites. Regards, Adrian On 16.01.2020 20:23, David Birnbaum wrote:
Dear oxygen-user,
Thank you, Lee, for pointing me toward the online explanation, but it doesn't help. The instructions seem to have been written for Windows, and I tried adapting them for MacOS, so perhaps that's the source of my difficulty. Here are the details:
A few data points:
I see no option when viewing the certificate in either Chrome or Firefox (by clicking on the security icon to the immediately left of the URL) to export or save the certificate. The instructions at the link Lee mentioned say that I should be able to view a certificate from the browser and then save it to file, but I don't see an option to do that.
The browser accepts the certificate without a question, and doesn't report it as self-signed. It is reported as issued by "Let's Encrypt Authority X3" (under "DST Root CA X3"). Only <oXygen/> seems to think that it is self-signed.
What I tried:
When I browse my Keychain (under System Roots -> Certificates) I see "DST Root CA X3", and nothing else that comes close to matching what I see when I view the certificate in Chrome. I guessed that this was what I wanted, and I exported it from the Keychain, navigated to the JRE folder for <oXygen/>, adjusted the instructions for MacOS (they were written for Windows, with backslashes and explicit paths), and ran the import command. I was notified that "Certificate already exists in system-wide CA keystore under alias <identrustdstx3> Do you still want to add it to your own keystore?". I told it "no" and restarted <oXygen/> and was not able to open the remote URL. So I ran the import again, told it "yes" this time, restarted <oXygen/>, and got the same error about not being able to open the URL.
Best,
David
On Thu, Jan 16, 2020 at 1:00 PM <oxygen-user-request@oxygenxml.com <mailto:oxygen-user-request@oxygenxml.com>> wrote:
Send oXygen-user mailing list submissions to oxygen-user@oxygenxml.com <mailto:oxygen-user@oxygenxml.com>
To subscribe or unsubscribe via the World Wide Web, visit https://www.oxygenxml.com/mailman/listinfo/oxygen-user or, via email, send a message with subject or body 'help' to oxygen-user-request@oxygenxml.com <mailto:oxygen-user-request@oxygenxml.com>
You can reach the person managing the list at oxygen-user-owner@oxygenxml.com <mailto:oxygen-user-owner@oxygenxml.com>
When replying, please edit your Subject line so it is more specific than "Re: Contents of oXygen-user digest..."
Today's Topics:
1. Re: self-signed certificates (Hart, Lee)
----------------------------------------------------------------------
Message: 1 Date: Wed, 15 Jan 2020 17:25:41 +0000 From: "Hart, Lee" <hleehart@amazon.com <mailto:hleehart@amazon.com>> To: "oxygen-user@oxygenxml.com <mailto:oxygen-user@oxygenxml.com>" <oxygen-user@oxygenxml.com <mailto:oxygen-user@oxygenxml.com>> Subject: Re: [oXygen-user] self-signed certificates Message-ID: <5e20df9778d24e24bfbf3c16dedb7409@EX13D13UWB003.ant.amazon.com <mailto:5e20df9778d24e24bfbf3c16dedb7409@EX13D13UWB003.ant.amazon.com>> Content-Type: text/plain; charset="utf-8"
I tried opening a file from a URL on a site that uses a self-signed certificate. <oXygen/> first asked whether I wanted to allow and trust the site, and when I told it that I did, <oXygen/> refused to load it, telling me that:
Cannot open the specified file. There was a problem establishing the secure HTTPS connection. In case the server you are trying to connect to uses self-signed certificates, read the 'Troubleshooting HTTPS' section from the user manual. Full error message: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I'm running XML Editor 21.1, build 2019120214, with the bundled Java, on MacOS Mojave. How do I communicate to <oXygen/> that it should trust this site? I tried adding an exception for the site to my Java configuration, which didn't help, and I then realized that that was probably because those exceptions are for my system Java, and <oXygen/> is using its own.
The instructions at Troubleshooting HTTPS<https://www.oxygenxml.com/doc/versions/21.1/ug-author/topics/import-https-server-certificate.html> in the user manual seem straightforward – where did you have problems following them?
Lee