Skip to content

Instantly share code, notes, and snippets.

@Firefishy

Firefishy/URLConnectionReader.java

Created October 20, 2015 12:42
Show Gist options
  • Save Firefishy/b2e606c42edcc4f513ba to your computer and use it in GitHub Desktop.
Save Firefishy/b2e606c42edcc4f513ba to your computer and use it in GitHub Desktop.
Download ZIP
Java test HTTPS request to https://helloworld.letsencrypt.org/
Raw
URLConnectionReader.java
// Based on java example: http://docs.oracle.com/javase/tutorial/networking/urls/readingWriting.html
// save as: URLConnectionReader.java
// compile using JDK: javac URLConnectionReader.java
// run: java URLConnectionReader
// good path: returns HTML
// bad path: throws an exception
import java.net.*;
import java.io.*;
public class URLConnectionReader {
public static void main(String[] args) throws Exception {
URL oracle = new URL("https://helloworld.letsencrypt.org/");
URLConnection yc = oracle.openConnection();
BufferedReader in = new BufferedReader(new InputStreamReader(
yc.getInputStream()));
String inputLine;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
in.close();
}
}
@chrisDeFouRire
Copy link

Is it working for you ?

I'm getting errors, only for helloworld.letsencrypt.org and probably other letsencypt domains, my code works for other HTTPS servers...
I'm using Java8 / OSX

Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I've even tried adding their root CA in the truststore but it doesn't work either...

Enabling ssl debug info shows
Unparseable CertificatePolicies extension due to java.io.IOException: No data available in policyQualifiers

I'm stuck now...

@Firefishy
Copy link
Author

@chrisDeFouRire Letsencrypt is not in the default list of CAs in the Oracle Java JDK. Discussion here: https://community.letsencrypt.org/t/will-the-cross-root-cover-trust-by-the-default-list-in-the-jdk-jre/134

@Firefishy
Copy link
Author

Confirmed working with Oracle JDK >= 8u101 (final release)

@Firefishy
Copy link
Author

Also Oracle JDK >= 7u111

@VVD
Copy link

VVD commented Sep 16, 2016

Error still here.
$ java -version
openjdk version "1.8.0_102"
OpenJDK Runtime Environment (build 1.8.0_102-b14)
OpenJDK 64-Bit Server VM (build 25.102-b14, mixed mode)

After copy /usr/local/linux-oracle-jdk1.8.0/jre/lib/security/cacerts to /usr/local/openjdk8/jre/lib/security/cacerts all work fine => OpenJDK have old cacerts without trust for letsencrypt.

@g0ddest
Copy link

g0ddest commented Oct 25, 2016

java -version
java version "1.8.0_111"
Java(TM) SE Runtime Environment (build 1.8.0_111-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.111-b14, mixed mode)

Error still there.

@yglodt
Copy link

yglodt commented Oct 31, 2016

This SO-answer shows how to import the letsencrypt security chain, which "solves" the issue, even on a Raspberry Pi with jre 1.8.0_65:

http://stackoverflow.com/a/35454903/272180

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment