SSL certificates issue with Maven repository

i4rilu · May 5, 2021, 3:43am

It is reproducible with Java 1.8.0_292
It looks like there is a problem with SSL certificates on Aspose Repository Browser /java/repo/ website.
Instead of returning full Let’s Encrypt cert chain, it returns certificates for repository.containerize.com DNS name, which are irrelevant.

This can be seen by

Scanning website via SSL Server Test: repository.aspose.com (Powered by Qualys SSL Labs)
openssl s_client -showcerts -connect repository.aspose.com:443

Also by testing repo website with SSLPoke.jar utility (GitHub - MichalHecko/SSLPoke: Java tool for testing validity (certificates) of trust stores):
java SSLPoke repository.aspose.com 443

shahzadlatif · May 5, 2021, 7:37am

@i4rilu

Thanks for sharing your concern regarding the certificate. We’re investigating the matter and will update you accordingly.

shahzadlatif · May 12, 2021, 1:42am

@i4rilu

Thanks for waiting on this. This issue is related to JDK compatibility with Let’s Encrypt SSL certificate:Certificate Compatibility - Let's Encrypt. For older updates of JDK, please use Aspose Maven repo over HTTP. I hope this helps.

i4rilu · May 12, 2021, 4:51am

Thank you for the answer.
In the link above Let’s Encrypt claims their certificates are compatible with Java 8 >= 8u141
I was testing with Java 8 8u292, which is still the latest Java 8 version at this moment.

I would still think this is because of miss-configured SSL on Aspose Repository Browser /java/repo/ website (missing Let’s Encrypt R3 certificate during the SSL handshake).

shahzadlatif · May 12, 2021, 10:16am

@i4rilu

Actually, you’re right about the version. Please let us investigate this matter and we’ll get back to you with an appropriate explanation of this behavior along with a fix.

shahzadlatif · May 18, 2021, 4:43am

@i4rilu

We have investigated this matter in detail but couldn’t find any issue at our end. Please see the following details for your reference.

We verified it with two JDKs.

First one was Oracle JDK https://snipboard.io/pi5mlc.jpg
Second one was Corretto JDK https://snipboard.io/H8YlzQ.jpg

For both of these, the latest JDK versions were used. Also, please note that we already have ssl_trusted_certificate chain configured in our Nginx. So we believe that the issue you’re facing is not with the Maven repository. It could be something at your end which might be causing this issue. So we would really appreciate your to further investigate this matter at your end. Thanks.

i4rilu · May 20, 2021, 5:45am

Everything is working fine now.
Full chain of certificates is being returned from your Nginx server (repository.aspose.com + Let’s Encrypt R3 + Let’s Encrypt X3).
Thank you!