SSL certificate warnings when starting JOSM

[donal.hunt@…]

What steps will reproduce the problem?

1. Start development version of JOSM.

javaws "https://josm.openstreetmap.de/download/josm-latest.jnlp" is the command used.

What is the expected result?

App starts without a warning about certificates.

What happens instead?

App starts with a warning about certificates.

This is the certificates being complained about:

Version 3 
Serial 317007044659422488441888226356033391239720 
Signature Algorithm SHA256withRSA 
Issuer CN=R3, O=Let's Encrypt, C=US 
Validity Validity: [From: Thu May 27 09:36:43 IST 2021,
               To: Wed Aug 25 09:36:43 IST 2021] 
Subject CN=josm.openstreetmap.de 
Signature 0000: 32 03 34 01 AD C2 27 1F   96 9C 81 4B 1D D7 42 D7  2.4...'....K..B.
0010: 47 36 B1 29 82 24 6A EF   71 64 7F AA 14 6F 08 B7  G6.).$j.qd...o..
0020: 18 7A 5C 9F A7 66 F4 CC   1C F6 44 7C 3E A5 CF 54  .z\..f....D.>..T
0030: 6E 51 38 07 31 A4 CF 34   A0 CA 25 8F B5 A7 40 58  nQ8.1..4..%...@X
0040: 16 C7 02 7F AD 11 FD A7   D0 FE 0B 2B 80 5E AA 34  ...........+.^.4
0050: 61 7C 7A 2B B4 9F 0E D1   D4 64 F0 C2 D2 A1 30 A8  a.z+.....d....0.
0060: B4 A6 2B 23 3A 97 22 97   22 2E E5 8B 9C 11 EC E6  ..+#:.".".......
0070: D1 2F 34 2D FC D0 9A 22   83 79 13 DB E7 66 C7 08  ./4-...".y...f..
0080: 4E D2 64 18 C6 23 66 0A   82 77 C4 3E CA 5F 8F 0F  N.d..#f..w.>._..
0090: 67 2E 67 EA 2F AE E9 D6   13 CA 26 4A 81 30 52 C3  g.g./.....&J.0R.
00A0: 40 D4 26 AC 78 91 78 E3   9D AA B8 FE BB 4B 44 EC  @.&.x.x......KD.
00B0: E3 9C FE EE B0 9F F1 EC   67 A9 7C CD AE 10 4D 5A  ........g.....MZ
00C0: 1C 60 90 52 47 71 92 E0   CB 4C 0C E1 4E 8B 12 83  .`.RGq...L..N...
00D0: BF CA 29 BF 05 8E 3D 47   A5 0D 58 76 3F 6F A0 75  ..)...=G..Xv?o.u
00E0: 33 A0 2C 33 23 51 C6 E3   92 6E 3A 31 7E B0 0F 19  3.,3#Q...n:1....
00F0: 06 08 F3 1A DA FD F4 81   A0 45 45 FC 78 1C 77 B6  .........EE.x.w.
 
MD5 Fingerprint 10:2A:49:3F:CB:D5:F9:4E:AF:91:4B:88:75:78:DD:F9 
SHA1 Fingerprint AC:E7:5A:CF:CC:29:3E:D8:63:01:DF:AD:BB:43:33:79:D3:A3:E9:45 



Version 3 
Serial 192961496339968674994309121183282847578 
Signature Algorithm SHA256withRSA 
Issuer CN=ISRG Root X1, O=Internet Security Research Group, C=US 
Validity Validity: [From: Fri Sep 04 01:00:00 IST 2020,
               To: Mon Sep 15 17:00:00 IST 2025] 
Subject CN=R3, O=Let's Encrypt, C=US 
Signature 0000: 85 CA 4E 47 3E A3 F7 85   44 85 BC D5 67 78 B2 98  ..NG>...D...gx..
0010: 63 AD 75 4D 1E 96 3D 33   65 72 54 2D 81 A0 EA C3  c.uM..=3erT-....
0020: ED F8 20 BF 5F CC B7 70   00 B7 6E 3B F6 5E 94 DE  .. ._..p..n;.^..
0030: E4 20 9F A6 EF 8B B2 03   E7 A2 B5 16 3C 91 CE B4  . ..........<...
0040: ED 39 02 E7 7C 25 8A 47   E6 65 6E 3F 46 F4 D9 F0  .9...%.G.en?F...
0050: CE 94 2B EE 54 CE 12 BC   8C 27 4B B8 C1 98 2F A2  ..+.T....'K.../.
0060: AF CD 71 91 4A 08 B7 C8   B8 23 7B 04 2D 08 F9 08  ..q.J....#..-...
0070: 57 3E 83 D9 04 33 0A 47   21 78 09 82 27 C3 2A C8  W>...3.G!x..'.*.
0080: 9B B9 CE 5C F2 64 C8 C0   BE 79 C0 4F 8E 6D 44 0C  ...\.d...y.O.mD.
0090: 5E 92 BB 2E F7 8B 10 E1   E8 1D 44 29 DB 59 20 ED  ^.........D).Y .
00A0: 63 B9 21 F8 12 26 94 93   57 A0 1D 65 04 C1 0A 22  c.!..&..W..e..."
00B0: AE 10 0D 43 97 A1 18 1F   7E E0 E0 86 37 B5 5A B1  ...C........7.Z.
00C0: BD 30 BF 87 6E 2B 2A FF   21 4E 1B 05 C3 F5 18 97  .0..n+*.!N......
00D0: F0 5E AC C3 A5 B8 6A F0   2E BC 3B 33 B9 EE 4B DE  .^....j...;3..K.
00E0: CC FC E4 AF 84 0B 86 3F   C0 55 43 36 F6 68 E1 36  .......?.UC6.h.6
00F0: 17 6A 8E 99 D1 FF A5 40   A7 34 B7 C0 D0 63 39 35  .j.....@.4...c95
0100: 39 75 6E F2 BA 76 C8 93   02 E9 A9 4B 6C 17 CE 0C  9un..v.....Kl...
0110: 02 D9 BD 81 FB 9F B7 68   D4 06 65 B3 82 3D 77 53  .......h..e..=wS
0120: F8 8E 79 03 AD 0A 31 07   75 2A 43 D8 55 97 72 C4  ..y...1.u*C.U.r.
0130: 29 0E F7 C4 5D 4E C8 AE   46 84 30 D7 F2 85 5F 18  )...]N..F.0..._.
0140: A1 79 BB E7 5E 70 8B 07   E1 86 93 C3 B9 8F DC 61  .y..^p.........a
0150: 71 25 2A AF DF ED 25 50   52 68 8B 92 DC E5 D6 B5  q%*...%PRh......
0160: E3 DA 7D D0 87 6C 84 21   31 AE 82 F5 FB B9 AB C8  .....l.!1.......
0170: 89 17 3D E1 4C E5 38 0E   F6 BD 2B BD 96 81 14 EB  ..=.L.8...+.....
0180: D5 DB 3D 20 A7 7E 59 D3   E2 F8 58 F9 5B B8 48 CD  ..= ..Y...X.[.H.
0190: FE 5C 4F 16 29 FE 1E 55   23 AF C8 11 B0 8D EA 7C  .\O.)..U#.......
01A0: 93 90 17 2F FD AC A2 09   47 46 3F F0 E9 B0 B7 FF  .../....GF?.....
01B0: 28 4D 68 32 D6 67 5E 1E   69 A3 93 B8 F5 9D 8B 2F  (Mh2.g^.i....../
01C0: 0B D2 52 43 A6 6F 32 57   65 4D 32 81 DF 38 53 85  ..RC.o2WeM2..8S.
01D0: 5D 7E 5D 66 29 EA B8 DD   E4 95 B5 CD B5 56 12 42  ].]f)........V.B
01E0: CD C4 4E C6 25 38 44 50   6D EC CE 00 55 18 FE E9  ..N.%8DPm...U...
01F0: 49 64 D4 4E CA 97 9C B4   5B C0 73 A8 AB B8 47 C2  Id.N....[.s...G.
 
MD5 Fingerprint E8:29:E6:5D:7C:43:07:D6:FB:C1:3C:17:9E:03:7A:36 
SHA1 Fingerprint A0:53:37:5B:FE:84:E8:B7:48:78:2C:7C:EE:15:82:7A:6A:F5:A4:05 

Please provide any additional information below. Attach a screenshot if possible.

Relative:URL: ^/trunk
Repository:UUID: 0c6e7542-c601-0410-84e7-c038aed88b3b
Last:Changed Date: 2021-05-27 19:45:08 +0200 (Thu, 27 May 2021)
Revision:17915
Build-Date:2021-05-28 01:31:01
URL:https://josm.openstreetmap.de/svn/trunk

Identification: JOSM/1.5 (17915 en) Linux Debian GNU/Linux 10 (buster)
Memory Usage: 405 MB / 3952 MB (153 MB allocated, but free)
Java version: 11.0.11+9-post-Debian-1deb10u1, Debian, OpenJDK 64-Bit Server VM
Look and Feel: com.formdev.flatlaf.FlatLightLaf
Screen: :0.0 1920×1080 (scaling 1.00×1.00) :0.1 2560×1440 (scaling 1.00×1.00) :0.2 1080×1920 (scaling 1.00×1.00)
Maximum Screen Size: 2560×1920
Best cursor sizes: 16×16→16×16, 32×32→32×32
Environment variable LANG: en_IE.UTF-8
System property file.encoding: UTF-8
System property sun.jnu.encoding: UTF-8
Locale info: en_IE
Numbers with default locale: 1234567890 -> 1234567890
Desktop environment: GNOME
Java package: openjdk-11-jre:amd64-11.0.11+9-1~deb10u1
WebStart package: icedtea-netx:all-1.8.4-1
Java ATK Wrapper package: libatk-wrapper-java:all-0.33.3-22
libcommons-compress-java: libcommons-compress-java:all-1.18-2+deb10u1
libcommons-logging-java: libcommons-logging-java:all-1.2-2
fonts-noto: fonts-noto:all-20181227-1
liboauth-signpost-java: liboauth-signpost-java:all-1.2.1.2-2
VM arguments: [--patch-module=java.desktop=/usr/share/icedtea-web/javaws.jar:, --add-reads=java.base=ALL-UNNAMED,java.desktop, --add-reads=java.desktop=ALL-UNNAMED,java.naming, --add-reads=java.naming=ALL-UNNAMED,java.desktop, --add-exports=java.desktop/sun.awt=ALL-UNNAMED,java.desktop, --add-exports=java.desktop/javax.jnlp=ALL-UNNAMED,java.desktop, --add-exports=java.base/com.sun.net.ssl.internal.ssl=ALL-UNNAMED,java.desktop, --add-exports=java.base/sun.net.www.protocol.jar=ALL-UNNAMED,java.desktop, --add-exports=java.base/sun.security.action=ALL-UNNAMED,java.desktop, --add-exports=java.base/sun.security.provider=ALL-UNNAMED,java.desktop, --add-exports=java.base/sun.security.util=ALL-UNNAMED,java.desktop, --add-exports=java.base/sun.security.validator=ALL-UNNAMED,java.desktop, --add-exports=java.base/sun.security.x509=ALL-UNNAMED,java.desktop, --add-exports=java.base/jdk.internal.util.jar=ALL-UNNAMED,java.desktop, --add-exports=java.base/sun.net.www.protocol.http=ALL-UNNAMED,java.desktop, --add-exports=java.desktop/sun.awt.X11=ALL-UNNAMED,java.desktop, --add-exports=java.desktop/sun.applet=ALL-UNNAMED,java.desktop, --add-exports=java.desktop/sun.applet=ALL-UNNAMED,jdk.jsobject, --add-exports=java.naming/com.sun.jndi.toolkit.url=ALL-UNNAMED,java.desktop, -Dicedtea-web.bin.name=javaws, -Dicedtea-web.bin.location=/usr/share/icedtea-web/bin/javaws.sh, -Djava.security.manager, -Djava.security.policy=/etc/icedtea-web/javaws.policy]

Plugins:
+ HouseNumberTaggingTool (35640)
+ Lanes (${version.entry.commit.revision})
+ Mapillary (2.0.0-alpha.5)
+ PicLayer (1.0.1)
+ ShapeTools (1240)
+ apache-commons (35524)
+ apache-http (35589)
+ buildings_tools (35756)
+ ejml (35458)
+ flatlaf (35734)
+ geotools (35458)
+ imagery_offset_db (35640)
+ jaxb (35543)
+ jna (35662)
+ jts (35458)
+ measurement (35640)
+ opendata (35640)
+ terracer (35640)
+ todo (30306)
+ utilsplugin2 (35691)
+ wikipedia (1.1.4)

Tagging presets:
+ https://josm.openstreetmap.de/josmfile?page=Presets/Irishboundaries&zip=1

Map paint styles:
+ https://josm.openstreetmap.de/josmfile?page=Styles/ColorWays&zip=1
+ https://josm.openstreetmap.de/josmfile?page=Styles/SimpleRoofTags&zip=1
- https://josm.openstreetmap.de/josmfile?page=Styles/Direction&zip=1
- https://josm.openstreetmap.de/josmfile?page=Styles/SimpleBuildingTags&zip=1
- https://josm.openstreetmap.de/josmfile?page=Styles/Building_Levels_Labels&zip=1
- https://josm.openstreetmap.de/josmfile?page=Styles/Enhanced_Lane_and_Road_Attributes&zip=1
- https://josm.openstreetmap.de/josmfile?page=Styles/Lane_and_Road_Attributes&zip=1
- https://josm.openstreetmap.de/josmfile?page=Styles/Highway_Nodes&zip=1
- https://josm.openstreetmap.de/josmfile?page=Styles/LessObtrusiveNodes&zip=1

[donal.hunt@…]

SSL warning

[donal.hunt@…]

untrusted certificate warning

[donal.hunt@…]

certificate details.

[simon04]

Reproducible on Windows / Java 8:

URL:https://josm.openstreetmap.de/svn/trunk
Repository:UUID: 0c6e7542-c601-0410-84e7-c038aed88b3b
Last:Changed Date: 2021-05-27 19:45:08 +0200 (Thu, 27 May 2021)
Build-Date:2021-05-28 01:31:01
Revision:17915
Relative:URL: ^/trunk

Identification: JOSM/1.5 (17915 de) Windows Server 2019 64-Bit
OS Build number: Windows Server 2019 Standard 1809 (17763)
Memory Usage: 185 MB / 2969 MB (64 MB allocated, but free)
Java version: 1.8.0_252-b09, Oracle Corporation, OpenJDK 64-Bit Server VM
Look and Feel: com.sun.java.swing.plaf.windows.WindowsLookAndFeel
Screen: \Display0 1440×900 (scaling 1.00×1.00)
Maximum Screen Size: 1440×900
Best cursor sizes: 16×16→32×32, 32×32→32×32
System property file.encoding: Cp1252
System property sun.jnu.encoding: Cp1252
Locale info: de_DE
Numbers with default locale: 1234567890 -> 1234567890
VM arguments: [-XX:TieredStopAtLevel=1, -XX:MinHeapFreeRatio=20, -XX:MaxHeapFreeRatio=40, -Ditw.userdata=C:/Users/Simon/AppData/Local/ojdkbuild/java-1.8.0-openjdk-1.8.0.252-2.b09.ojdkbuild.windows.x86_64/webstart/, -Dicedtea-web.bin.name=javaws.exe, -Dicedtea-web.bin.location=C:/Program Files/ojdkbuild/java-1.8.0-openjdk-1.8.0.252-2/webstart/javaws.exe]

[stoecker]

Aaargh. I feared some shit will happen after Let's Encrypt changed the chain again.

[stoecker]

If someone can build me a valid chain based on this and acceptable to Java it would be a great help:

That's what I get with Let's Encrypt:

Certificate chain
 0 s:CN = josm.openstreetmap.de
   i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIGLzCCBRegAwIBAgISA6OZl/03hA5hvGq93bIvjSIoMA0GCSqGSIb3DQEBCwUA
...
HHe2
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
...
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
...
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----

That's what I added to get the chain complete (which seems not to be the right one):

 3 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
...
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----

[stoecker]

Replaced the last one:

 3 s:O = Digital Signature Trust Co., CN = DST Root CA X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
...
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

Does it work now?

[simon04]

Yes, perfect, thank you! Fixed for my test environment from comment:1.

[stoecker]

P.S. We'll see if similar issues happen with other Let's Encrypt servers or my broken last cert was the problem.