Call https://{custom_doman}/.well-known/jwks.json being blocked caused by certificates rejected

wei_tao · October 29, 2019, 6:27am

When applications post a API request with auth0_token to web service which is running in the java run-time server ,it will set up connection to below url ,

https://{customer_server_domain}/service/api/test – which is secured by token issued by Auth0 .

It always return 401 error caused by connection failed as there are certificates issues, I captured the log here , it indicates that certificate rejected.

Cannot establish connection to URL https://{auth0_custom_domain}:443/.well-known/jwks.json. Ensure that you have maintained valid server certificates for this URL in the trust store. See also note 2479773.
[EXCEPTION]
org.w3c.www.protocol.http.HttpException: Peer certificate rejected by ChainVerifier
iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
at iaik.security.ssl.y.a(SourceFile:932)
at iaik.security.ssl.n.b(SourceFile:1066)
at iaik.security.ssl.n.a(SourceFile:1503)
at iaik.security.ssl.y.d(SourceFile:784)
at iaik.security.ssl.SSLTransport.startHandshake(SourceFile:569)
at iaik.security.ssl.SSLTransport.getOutputStream(SourceFile:648)
at iaik.security.ssl.SSLSocket.getOutputStream(SourceFile:391)
at org.w3c.www.protocol.http.HttpBasicConnection.a(SourceFile:463)
at org.w3c.www.protocol.http.HttpBasicServer.getConnection(SourceFile:449)
at org.w3c.www.protocol.http.HttpBasicServer.runRequest(SourceFile:1211)
at org.w3c.www.protocol.http.HttpManager.runRequest(SourceFile:1191)
at org.w3c.www.protocol.http.HttpURLConnection.connect(SourceFile:322)
at com.sap.engine.httpdsrclient.protocols.instrumented.https.DSRHttpsURLConnection.connect(DSRHttpsURLConnection.java:91)
at org.w3c.www.protocol.http.HttpURLConnection.a(SourceFile:178)
at org.w3c.www.protocol.http.HttpURLConnection.getInputStream(SourceFile:550)
at com.sap.engine.httpdsrclient.protocols.instrumented.https.DSRHttpsURLConnection.getInputStream(DSRHttpsURLConnection.java:123)
at com.auth0.jwk.UrlJwkProvider.getJwks(UrlJwkProvider.java:100)
at com.auth0.jwk.UrlJwkProvider.getAll(UrlJwkProvider.java:113)
at com.auth0.jwk.UrlJwkProvider.get(UrlJwkProvider.java:131)
at com.auth0.jwk.RateLimitedJwkProvider.get(RateLimitedJwkProvider.java:30)
at com.auth0.jwk.GuavaCachedJwkProvider$1.call(GuavaCachedJwkProvider.java:54)
at com.auth0.jwk.GuavaCachedJwkProvider$1.call(GuavaCachedJwkProvider.java:51)
at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:5058)
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3708)
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2416)
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2299)
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2212)
at com.google.common.cache.LocalCache.get(LocalCache.java:4147)
at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:5053)
at com.auth0.jwk.GuavaCachedJwkProvider.get(GuavaCachedJwkProvider.java:51)
at com.auth0.spring.security.api.JwtAuthenticationProvider.jwtVerifier(JwtAuthenticationProvider.java:89)
at com.auth0.spring.security.api.JwtAuthenticationProvider.authenticate(JwtAuthenticationProvider.java:57)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////

I do installed certificates on this server ,and tested on server with openssl as below command

root@###:/home/root# openssl s_client -servername {auth0_custom_domain} -connect {auth0_customer_domain} :443 -showcerts

that prints out that certificates certificate information in console as below

CONNECTED(00000004)

depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3

*verify error:num=20:unable to get local issuer certificate // don’t worry about this error as we haven’t specify the certificate here in command, but the certificates still have been found as below *

—

Certificate chain

0 s:/CN={auth0_custom_domain}

i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3

-----BEGIN CERTIFICATE-----
############################
-----END CERTIFICATE-----

So my question is why the certificates is going to be wrong when the server try to connect to https://{custom_doman}/.well-known/jwks.json from API call however if I call the jwks url directly with openssl command it will be ok ?

Should I need to specify the certificate prior to connecting to https://{custom_doman}/.well-known/jwks.json on the server which is web service built by spring framework ?

Here are I just attached a piece of code related to auth0 security set up in SecurityJavaConfig.java

////////////////////////////////////////////////////////
@Value(value = “${auth0.apiAudience}”)
private String apiAudience;
@Value(value = “${auth0.issuer}”)
private String issuer;

@Override
protected void configure(final HttpSecurity http) throws Exception {
    http.cors();
    JwtWebSecurityConfigurer.forRS256(apiAudience, issuer).configure(http).authorizeRequests()
            .antMatchers("/ume/public/**").permitAll().antMatchers("/ume/api/**").authenticated()
            .antMatchers("/ume/api-scoped/**").hasAuthority("update:ume");

}
@Bean
CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(Arrays.asList("/**"));
    configuration.setAllowedMethods(Arrays.asList("/**"));
    configuration.setAllowCredentials(true);
    configuration.addAllowedHeader("Authorization");

    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}

////////////////////////////////////////////////

Could someone has any advice or clues help me to figure it out, Thanks !

wei_tao · October 30, 2019, 5:24am

Just updated investigation here,

We created an Internet Widgets CA then uploaded into the server trust store , the connection works via the Widgets CA .However it is just temporary solution at this stage for development. The question is still here that how do I upload Auth0 certificates correctly on server trust store or somewhere can be configured to make sure picking up the right certificates for connection to https://custom-domain/.well-known/jwks.json.

Thanks

konrad.sopala · October 30, 2019, 11:59am

Hey there!

Haven’t investigated your topic thoroughly yet but do you think it’s similar to this one?

matt.macadam · November 7, 2019, 4:30pm

Hello,

This isn’t related to the JWK thumbprint issue. This is simply a trust chain issue on your HTTP request to retrieve the JWK.

We use Let’s Encrypt certificates for your custom domain. OpenSSL is probably using your system certificate store, which is why the connection works there. It looks like your Java environment is missing the Let’s Encrypt root certificate.

Should I need to specify the certificate prior to connecting to https://{custom_doman}/.well-known/jwks.json on the server which is web service built by spring framework ?

Yes. Exactly how to do this depends on what you’re using for HTTP connections. If you’re using Spring there should be good documentation on how to specify a root certificate (hopefully it won’t involve using “keytool” because that is always miserable )

konrad.sopala · November 8, 2019, 7:25am

Thanks a lot for providing that info Matt!

wei_tao · November 10, 2019, 10:47pm

Thanks Matt and konrad for you guys response !

I have checked the documents related to spring solution reference here GitHub - auth0/auth0-spring-security-api: Spring Security integration with Auth0 to secure your API with JWTs, there is no mention to specify the certificates . Only requires auth0 issuer (related to domain I think) and apiAudience.

So just doubt something wrong related to custom domain. As I realized we have set up custom domain let’s say it is custom-domain , however when I created a application which will manage M2M web service, the attribute of Domain in the application is automatically set up as default domain ####.auth0.com and grey out . I just think this attribute is supposed to be the custom-domain we set up but there is no way to change it .

Hope it can give us some clues .

Meanwhile we will be checking if it is issue related to root certificate in java run time server (Thank you Matt for your reminder )
anyway we are still in investigating on this issue and will keep update the post until we resolve this issue.

Thanks

Wei

matt.macadam · November 14, 2019, 7:04pm

@wei_tao how is this coming along?

I think our docs assume the runtime has the correct root certs–generally they’re included with the Java installation. If you can let me know what operating system and library you’re using I may be able to point you at the right command to see which root certs are in your trust store (although it’s not always guaranteed those are the same certs that get read at runtime).

wei_tao · November 20, 2019, 11:55pm

Hi Matt,

Our run-time server is provided by SAP JVM equivalent with JAVA 8 , However I can’t expose more specification in the public forum.

Thanks

Topic		Replies	Views
SSL handshake exception Help	4	5398	April 10, 2023
JWKS url no longer accessible from JAVA Help	7	3285	April 26, 2021
Access token fails validation Help	4	6381	January 27, 2019
Problem validating JWT with X509 cert/pubkey from /jwks JWT.io api , certificate , jwt-validation	12	23138	November 8, 2022
Signature verification failed in jwt.decode() Help test , other	1	706	March 24, 2024

Call https://{custom_doman}/.well-known/jwks.json being blocked caused by certificates rejected

Related topics