SSL certificates issue with Maven repository

It is reproducible with Java 1.8.0_292
It looks like there is a problem with SSL certificates on Aspose Repository Browser /java/repo/ website.
Instead of returning full Let’s Encrypt cert chain, it returns certificates for repository.containerize.com DNS name, which are irrelevant.

This can be seen by

  1. Scanning website via SSL Server Test: repository.aspose.com (Powered by Qualys SSL Labs)
  2. openssl s_client -showcerts -connect repository.aspose.com:443

Also by testing repo website with SSLPoke.jar utility (GitHub - MichalHecko/SSLPoke: Java tool for testing validity (certificates) of trust stores):
java SSLPoke repository.aspose.com 443

@i4rilu

Thanks for sharing your concern regarding the certificate. We’re investigating the matter and will update you accordingly.

@i4rilu

Thanks for waiting on this. This issue is related to JDK compatibility with Let’s Encrypt SSL certificate:Certificate Compatibility - Let's Encrypt. For older updates of JDK, please use Aspose Maven repo over HTTP. I hope this helps.

Thank you for the answer.
In the link above Let’s Encrypt claims their certificates are compatible with Java 8 >= 8u141
I was testing with Java 8 8u292, which is still the latest Java 8 version at this moment.

I would still think this is because of miss-configured SSL on Aspose Repository Browser /java/repo/ website (missing Let’s Encrypt R3 certificate during the SSL handshake).

@i4rilu

Actually, you’re right about the version. Please let us investigate this matter and we’ll get back to you with an appropriate explanation of this behavior along with a fix.

@i4rilu

We have investigated this matter in detail but couldn’t find any issue at our end. Please see the following details for your reference.

We verified it with two JDKs.

First one was Oracle JDK https://snipboard.io/pi5mlc.jpg
Second one was Corretto JDK https://snipboard.io/H8YlzQ.jpg

For both of these, the latest JDK versions were used. Also, please note that we already have ssl_trusted_certificate chain configured in our Nginx. So we believe that the issue you’re facing is not with the Maven repository. It could be something at your end which might be causing this issue. So we would really appreciate your to further investigate this matter at your end. Thanks.

Everything is working fine now.
Full chain of certificates is being returned from your Nginx server (repository.aspose.com + Let’s Encrypt R3 + Let’s Encrypt X3).
Thank you!

1 Like