SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=*.facebook.com

Question

I am using Liberty 16.0.0.4 and i want to get image from facebook account image so i ran this next command to add facebook certificate to Liberty server

keytool  -importcert -keystore /pathToServer/Servers/'03- Liberty 16.0.0.4'/wlp/usr/servers/MyProjectServer/resources/key.jks -file facebook.crt -alias facebooksigner

and the certificate successfully added to liberty key.jks file and i see it when list certificates on this file.

But my problem when i try to get image using URL url = new URL(pictureUrl);

it fires

[ERROR ] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US was sent from the target host.

Note: i added <keyStore id="defaultKeyStore" password="{xor}EzY9Oi0rJg=="/> into server.xml

So can u guess why this happen? thanks :)

score 0 · Answer 1 · answered Jun 09 '17 at 06:35

0

For SSL to work, the client needs to trust the chain that the server presents to it - from the top (root) level all the way down.

You say that you've put a Facebook cert into your trust store, but is the full chain trusted? At the very least, the root CA that signed the Facebook cert needs to be in the trust store.

answered Jun 09 '17 at 06:35

Catchwa

5,845
4
31
57

do u have anyway to install facebook certificate and make sure the full chain trusted? – mibrahim.iti Jun 14 '17 at 16:22

score 0 · Answer 2 · answered Jun 09 '17 at 15:10

In 16.0.0.4 (and earlier), java SE API's will never use the keystore or truststore defined in server.xml. They'll use the JRE's 'cacerts' or whatever alternative you define in the well-known SE system properties that control the trust and key stores.

In 17.0.0.1 (and later), java SE callers can use keystores defined in server.xml if transportSecurity-1.0 is loaded.

SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=*.facebook.com

2 Answers2