Total Pageviews

Saturday, February 01, 2014

Solution for “Certificate has expired” in log when starting Glassfish 3.1.2

Since a few weeks my GlassFish installation produces an annoying message whenever it gets started. The message looks like this one posted on stackoverflow:


   ...  
    [exec]  
    [exec] [#|2013-08-15T08:57:42.106+0200|INFO|glassfish3.1.2|javax.enterprise.system.core.com.sun.enterprise.v3.services.impl|_ThreadID=39;_ThreadName=Thread-2;|Grizzly  
 Framework 1.9.50 started in: 16ms - bound to [0.0.0.0:1307 6]|#]  
    [exec]  
    [exec] [#|2013-08-15T08:57:42.262+0200|INFO|glassfish3.1.2|javax.enterprise.system.core.com.sun.enterprise.v3.server|_ThreadID=1;_ThreadName=Thread-2;|GlassFish  
 Server Open Source Edition 3.1.2.2 (5) startup time : Felix (1'1  
 23ms), startup services(609ms), total(1'732ms)|#]  
    [exec]  
    [exec] [#|2013-08-15T08:57:42.309+0200|SEVERE|glassfish3.1.2|javax.enterprise.system.ssl.security.com.sun.enterprise.security.ssl.impl|_ThreadID=40;_ThreadName=Thread-2;|SEC5054:  
 Certificate has expired: [  
    [exec] [  
    [exec]  Version: V3  
    [exec]  Subject: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US  
    [exec]  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5  
    [exec]  
    [exec]  Key: Sun RSA public key, 2048 bits  
    [exec]  modulus: 237418898293472616608124373663877543854434319738611148654904141538840503317458119685231168476255701465927369352097185652960533868421359855348631579831288127741629980536737464707822524076734022381468699944387  
 29551246768368782318393878374421033907597162218758024581735139682087126982809511479059100617027892880227587855877479432885604404402435662802390484099065871430585284534529627347717530352189612077130606642676951640071336717026459037  
 542552927905851171460589361570392199748753414855675665635003335769915908187224347232807336022456537328962095005323382940080676931822787496212635993279098588863972868266229522169377  
    [exec]  public exponent: 65537  
    [exec]  Validity: [From: Fri Aug 14 16:50:00 CEST 1998,  
    [exec]        To: Thu Aug 15 01:59:00 CEST 2013]  
    [exec]  Issuer: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US  
    [exec]  SerialNumber: [  01b6]  
    [exec]  
    [exec] Certificate Extensions: 4  
    [exec] [1]: ObjectId: 2.5.29.19 Criticality=true  
    [exec] BasicConstraints:[  
    [exec]  CA:true  
    [exec]  PathLen:5  
    [exec] ]  
    [exec]  
    [exec] [2]: ObjectId: 2.5.29.32 Criticality=false  
    [exec] CertificatePolicies [  
    [exec]  [CertificatePolicyId: [1.2.840.113763.1.2.1.3]  
    [exec] [] ]  
    [exec] ]  
    [exec]  
    [exec] [3]: ObjectId: 2.5.29.15 Criticality=true  
    [exec] KeyUsage [  
    [exec]  Key_CertSign  
    [exec]  Crl_Sign  
    [exec] ]  
    [exec]  
    [exec] [4]: ObjectId: 2.5.29.14 Criticality=false  
    [exec] SubjectKeyIdentifier [  
    [exec] KeyIdentifier [  
    [exec] 0000: 76 0A 49 21 38 4C 9F DE  F8 C4 49 C7 71 71 91 9D v.I!8L....I.qq..  
    [exec] ]  
    [exec] ]  
    [exec]  
    [exec] ]  
    [exec]  Algorithm: [SHA1withRSA]  
    [exec]  Signature:  
    [exec] 0000: 41 3A D4 18 5B DA B8 DE  21 1C E1 8E 09 E5 F1 68 A:..[...!......h  
    [exec] 0010: 34 FF DE 96 F4 07 F5 A7  3C F3 AC 4A B1 9B FA 92 4.......<..J....  
    [exec] 0020: FA 9B ED E6 32 21 AA 4A  76 C5 DC 4F 38 E5 DF D5 ....2!.Jv..O8...  
    [exec] 0030: 86 E4 D5 C8 76 7D 98 D7  B1 CD 8F 4D B5 91 23 6C ....v......M..#l  
    [exec] 0040: 8B 8A EB EA 7C EF 14 94  C4 C6 F0 1F 4A 2D 32 71 ............J-2q  
    [exec] 0050: 63 2B 63 91 26 02 09 B6  80 1D ED E2 CC B8 7F DB c+c.&...........  
    [exec] 0060: 87 63 C8 E1 D0 6C 26 B1  35 1D 40 66 10 1B CD 95 .c...l&.5.@f....  
    [exec] 0070: 54 18 33 61 EC 13 4F DA  13 F7 99 AF 3E D0 CF 8E T.3a..O.....>...  
    [exec] 0080: A6 72 A2 B3 C3 05 9A C9  27 7D 92 CC 7E 52 8D B3 .r......'....R..  
    [exec] 0090: AB 70 6D 9E 89 9F 4D EB  1A 75 C2 98 AA D5 02 16 .pm...M..u......  
    [exec] 00A0: D7 0C 8A BF 25 E4 EB 2D  BC 98 E9 58 38 19 7C B9 ....%..-...X8...  
    [exec] 00B0: 37 FE DB E2 99 08 73 06  C7 97 83 6A 7D 10 01 2F 7.....s....j.../  
    [exec] 00C0: 32 B9 17 05 4A 65 E6 2F  CE BE 5E 53 A6 82 E9 9A 2...Je./..^S....  
    [exec] 00D0: 53 0A 84 74 2D 83 CA C8  94 16 76 5F 94 61 28 F0 S..t-.....v_.a(.  
    [exec] 00E0: 85 A7 39 BB D7 8B D9 A8  B2 13 1D 54 09 34 24 7D ..9........T.4$.  
    [exec] 00F0: 20 81 7D 66 7E A2 90 74  5C 10 C6 BD EC AB 1B C2  ..f...t\.......  
    [exec]  
    [exec] ]|#] ...  

There is a simple solution for it. 

Just remove the certificate from the GlassFish keystore. Here is just a simple example used with GlassFish on my Windows developer box. It is slightly different when using a clustered GlassFish.
  1. Open a DOS command shell
  2. Go to the directory $GLASSFISH_INSTALL/glassfish/domains/domain1/config
  3. Type in the following command and execute it
  4.  keytool -delete -alias gtecybertrust5ca -keystore cacerts.jks  
    
  5. In some cases you have to provide a password for the keystore. If you did not change that, it is the default GlassFish keystore password 'changeit'.
  6. You can verify whether the alias was deleted by executing the following command in a DOS shell
  7.  keytool -list -keystore cacerts.jks > keytool.output 
    
  8. Opening the file keytool.output in an editor and doing a search for gtecybertrust5ca should yield an empty result set.