“Certificate has expired” in log by starting Glassfish 3.1.2

Question

Today by starting my glassfish I saw an error message about a certificate that has expired...

Can someone help me and say what I can/must do?

Here the message:

     ...
     [exec]
     [exec] [#|2013-08-15T08:57:42.106+0200|INFO|glassfish3.1.2|javax.enterprise.system.core.com.sun.enterprise.v3.services.impl|_ThreadID=39;_ThreadName=Thread-2;|Grizzly
Framework 1.9.50 started in: 16ms - bound to [0.0.0.0:1307 6]|#]
     [exec]
     [exec] [#|2013-08-15T08:57:42.262+0200|INFO|glassfish3.1.2|javax.enterprise.system.core.com.sun.enterprise.v3.server|_ThreadID=1;_ThreadName=Thread-2;|GlassFish
Server Open Source Edition 3.1.2.2 (5) startup time : Felix (1'1
23ms), startup services(609ms), total(1'732ms)|#]
     [exec]
     [exec] [#|2013-08-15T08:57:42.309+0200|SEVERE|glassfish3.1.2|javax.enterprise.system.ssl.security.com.sun.enterprise.security.ssl.impl|_ThreadID=40;_ThreadName=Thread-2;|SEC5054:
Certificate has expired: [
     [exec] [
     [exec]   Version: V3
     [exec]   Subject: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
     [exec]   Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
     [exec]
     [exec]   Key:  Sun RSA public key, 2048 bits
     [exec]   modulus: 237418898293472616608124373663877543854434319738611148654904141538840503317458119685231168476255701465927369352097185652960533868421359855348631579831288127741629980536737464707822524076734022381468699944387
29551246768368782318393878374421033907597162218758024581735139682087126982809511479059100617027892880227587855877479432885604404402435662802390484099065871430585284534529627347717530352189612077130606642676951640071336717026459037
542552927905851171460589361570392199748753414855675665635003335769915908187224347232807336022456537328962095005323382940080676931822787496212635993279098588863972868266229522169377
     [exec]   public exponent: 65537
     [exec]   Validity: [From: Fri Aug 14 16:50:00 CEST 1998,
     [exec]                To: Thu Aug 15 01:59:00 CEST 2013]
     [exec]   Issuer: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
     [exec]   SerialNumber: [    01b6]
     [exec]
     [exec] Certificate Extensions: 4
     [exec] [1]: ObjectId: 2.5.29.19 Criticality=true
     [exec] BasicConstraints:[
     [exec]   CA:true
     [exec]   PathLen:5
     [exec] ]
     [exec]
     [exec] [2]: ObjectId: 2.5.29.32 Criticality=false
     [exec] CertificatePolicies [
     [exec]   [CertificatePolicyId: [1.2.840.113763.1.2.1.3]
     [exec] []  ]
     [exec] ]
     [exec]
     [exec] [3]: ObjectId: 2.5.29.15 Criticality=true
     [exec] KeyUsage [
     [exec]   Key_CertSign
     [exec]   Crl_Sign
     [exec] ]
     [exec]
     [exec] [4]: ObjectId: 2.5.29.14 Criticality=false
     [exec] SubjectKeyIdentifier [
     [exec] KeyIdentifier [
     [exec] 0000: 76 0A 49 21 38 4C 9F DE   F8 C4 49 C7 71 71 91 9D  v.I!8L....I.qq..
     [exec] ]
     [exec] ]
     [exec]
     [exec] ]
     [exec]   Algorithm: [SHA1withRSA]
     [exec]   Signature:
     [exec] 0000: 41 3A D4 18 5B DA B8 DE   21 1C E1 8E 09 E5 F1 68  A:..[...!......h
     [exec] 0010: 34 FF DE 96 F4 07 F5 A7   3C F3 AC 4A B1 9B FA 92  4.......<..J....
     [exec] 0020: FA 9B ED E6 32 21 AA 4A   76 C5 DC 4F 38 E5 DF D5  ....2!.Jv..O8...
     [exec] 0030: 86 E4 D5 C8 76 7D 98 D7   B1 CD 8F 4D B5 91 23 6C  ....v......M..#l
     [exec] 0040: 8B 8A EB EA 7C EF 14 94   C4 C6 F0 1F 4A 2D 32 71  ............J-2q
     [exec] 0050: 63 2B 63 91 26 02 09 B6   80 1D ED E2 CC B8 7F DB  c+c.&...........
     [exec] 0060: 87 63 C8 E1 D0 6C 26 B1   35 1D 40 66 10 1B CD 95  .c...l&.5.@f....
     [exec] 0070: 54 18 33 61 EC 13 4F DA   13 F7 99 AF 3E D0 CF 8E  T.3a..O.....>...
     [exec] 0080: A6 72 A2 B3 C3 05 9A C9   27 7D 92 CC 7E 52 8D B3  .r......'....R..
     [exec] 0090: AB 70 6D 9E 89 9F 4D EB   1A 75 C2 98 AA D5 02 16  .pm...M..u......
     [exec] 00A0: D7 0C 8A BF 25 E4 EB 2D   BC 98 E9 58 38 19 7C B9  ....%..-...X8...
     [exec] 00B0: 37 FE DB E2 99 08 73 06   C7 97 83 6A 7D 10 01 2F  7.....s....j.../
     [exec] 00C0: 32 B9 17 05 4A 65 E6 2F   CE BE 5E 53 A6 82 E9 9A  2...Je./..^S....
     [exec] 00D0: 53 0A 84 74 2D 83 CA C8   94 16 76 5F 94 61 28 F0  S..t-.....v_.a(.
     [exec] 00E0: 85 A7 39 BB D7 8B D9 A8   B2 13 1D 54 09 34 24 7D  ..9........T.4$.
     [exec] 00F0: 20 81 7D 66 7E A2 90 74   5C 10 C6 BD EC AB 1B C2   ..f...t\.......
     [exec]
     [exec] ]|#] ...

Answer 1

The certificate of GTE Cybertrust Solutions inc has expired this night.

As stated here: https://forums.oracle.com/thread/2563077 the alias of this certificate is: gtecybertrust5ca

As long as it is a standalone Glassfish you can follow this guide: https://blogs.oracle.com/ramkri/entry/sec5054_certificate_has_expired_error

I have the same problem, but with the embedded Glassfish 3.1.2.2 used by Arquillian. I don't know where the certificates are stored in this embedded setup. Any hints are appreciated.

UPDATE for an embedded setup: To fix the certificate while using an embedded glassfish, just copy a fixed version of the cacerts.jks from the standalone glassfish installation <glassfish_home>/glassfish/domains/<your_domain>/config/cacerts.jks to your resource directory. E.g. when using maven and arquillian, just copy the file to <projectRoot>/src/test/resources/config/cacerts.jks. The embedded glassfish will pick up this configuration!

This is the solution from this post: Arquillian Embedded Glassfish Certificate Expired

Answer 2

We are also using embedded Glassfish and Arquillian for our integration tests and unfortunately we cannot run any tests before a new release of the embedded Glassfish is released. In the meantime, this is what I did:

1. Find the embedded Glassfish jar in your local Maven cache. Mine was in \path\to\local\maven\repo\org\glassfish\main\extras\glassfish-embedded-all\3.1.2\glassfish-embedded-all-3.1.2.jar
2. Open the JAR with some archiving software. I used 7-zip.
3. Extract config\cacerts.jks to some folder.
4. Execute \path\to\jdk\bin\keytool -delete -v -alias gtecybertrust5ca -keystore cacerts.jks. When asked for password enter: changeit
5. Copy cacerts.jks back to the glassfish embedded jar overwriting the old keystore.
6. Run your tests again.

Just found a similar solution by heather92115 in a linked post (https://stackoverflow.com/a/18343639/1540666) which my be a bit better. Just remember to delete the modified keystore from your project when an updated embedded Glassfish is released.

Answer 3

My OS is windows 2003 system and I solved the problem as follows

1. i opened the cmd console of windows system in C:\glassfish3\jdk 7\bin, in that folder was the keytool

2. Find all cacerts.jks in the glassfish directory, in my case i find them all in C:\glassfish3\glassfish\domains\domain1\config and C:\glassfish3\glassfish\lib\templates

3. list all certificates from cacerts.jks, the keytool from java can do that. I copied the cacerts.jks file in the keytool folder but is optional if keytool is working well : C:\glassfish3\jdk7\bin>keytool -list -v -keystore cacerts.jks -storepass changeit > listaCertificados.txt

4. in the listaCertificados.txt file created in the previous step, I checked all expired certificates

5. i deleted the gtecybertrust5ca certified that expired in august 2013. The command is: keytool -delete -alias gtecybertrust5ca -keystore cacerts.jks -storepass changeit

6. i changed the cacerts.jks's name file that was it in C:\glassfish3\glassfish\domains\domain1\config, then i copied the cacerts.jks file from C:\glassfish3\jdk7\bin to C:\glassfish3\glassfish\domains\domain1\config

7. i applied the same procedure to C:\glassfish3\glassfish\lib\templates\cacerts.jks

8. finally i reloaded the glassfish server

Sorry for my english, i don´t speak that language but i want to help

Answer 4

just do

domain=domain1
asadmin stop-domain $domain
cd $(dirname `which asadmin`)/../glassfish/domains/config
cp cacerts.jks{,.bak}
keytool -delete -alias gtecybertrust5ca -keystore cacerts.jks -storepass changeit
cd -
asadmin start-domain $domain

Answer 5

The solution BoneGoat supplied also worked for the glassfish-embedded-web-3.1.2.2.jar. Since I am using Maven, I followed the BoneGoat's steps for the jar and then uploaded to our local Nexus repository with a an updated version name. I then updated my dependencies:

                <groupId>org.glassfish.main.extras</groupId>
                <artifactId>glassfish-embedded-web</artifactId>
                <version>3.1.2.2-fixed-cert</version>
                <scope>test</scope>

Note: I did not have luck using the 4.0 version of the jar. (There may be some incompatibilities with arquillian and the new version.)

You may also find useful information in this question Arquillian Embedded Glassfish Certificate Expired

Answer 6

Solutions in other answers may work....

However, I recommend to not to waste your time messing with certificates, just re-install Glassfish and it would be fixed.

Answer 7

You can now get the certs as part of the OpenJDK package - see https://dzone.com/articles/openjdk-10-now-includes-root-ca-certificates

For a Docker install you can do something like this:

# Set glassfish env
ENV GLASSFISH_HOME /opt/glassfish5/glassfish

# Get latest cacerts from OpenJDK project
RUN wget https://hg.openjdk.java.net/jdk/jdk/raw-file/tip/src/java.base/share/lib/security/cacerts && \
    mv cacerts $GLASSFISH_HOME/domains/domain1/config/cacerts.jks

A manual install would be similar