Watson Workspace will no longer be available after February 28, 2019. Learn more.

Developers

Trouble with webhook auth

Comments

2 comments

  • Avatar
    Herbert Dürr (Edited )

    The root cause is that the check of certificate chain failed when the webhook was being verified. The problem is that the certificate chain

    • depth=2 C=IL, O="StartCom Ltd.", OU="Secure Digital Certificate Signing", CN="StartCom Certification Authority"
    • depth=1 C=IL, O="StartCom Ltd.", OU="Secure Digital Certificate Signing", CN="StartCom Class 2 Primary Intermediate Server CA"
    • depth=0 C=US, ST="Texas", L="Leander", O="Jared Wallace", CN="www.jared-wallace.com", emailAddress ="***"

    of

    • subject= /C=US/ST=Texas/L=Leander/O=Jared Wallace/CN=www.jared-wallace.com/emailAddress=***
    • issuer= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA

    ends in a root certificate StartCom Certification Authority that is not accepted by Java according to JDK-8151958. It is unlikely that this particular root certificate will be added soon as it had problems (please see MOZ-994033 and mozilla.dev.security.policy/BV5X.. for details) which violated Mozilla's certificate security policies. It is also distrusted by Google (please see security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html for details) and has been removed in Debian (please see DEB-744027) and related distributions too.

    The solution is to

    • either get another certificate that is accepted by Java
    • or allow and use a self-signed certificate
  • Avatar
    JARED WALLACE

    Ouch. I was not aware of the controversy. Doubt I can get my money back either :/

     

    Thanks for the enlightening answer :)

Please sign in to leave a comment.