Error connecting to an https URL via a proxy.

Kevin Stembridge's Avatar

Kevin Stembridge

27 Oct, 2018 11:00 PM

Hi Sean,

One of my users, probably the first one to ever try and use it from behind a proxy, is getting an error when trying to connect to my server.

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

Full stack trace here:
https://bitbucket.org/mahanaroad/moneyforesight/issues/117/foresigh...

From googling, it looks as though the problem might be that my certificate is not in the cacerts file. (I use a self-signed certificate).

Does this sound familiar? Do you know anything about how this should work? I'm at a bit of a loss.

Cheers,
Kevin

  1. 1 Posted by hleofxquotes on 29 Oct, 2018 03:43 AM

    hleofxquotes's Avatar

    Kevin,

    I think you have 3 options

    • Get a non self-signed certificate. It is not that expensive anymore. For a free one, check https://letsencrypt.org/. This probably is the best option and the "right" fix.
    • Or modify your code (at the point of making the httpclient call to allow self-signed certificate). Namely: com.moneyforesight.http.CommonsHttpClientFacade.executePost. Though you have some control here, you are limited to the HttpClient version that comes with MD.
    • Or import your self-certificate into the list of trusted CA. This probably is the most complicated one since you need to figure out how MD start the JVM to figure out which java command/tool (namedly keytool) to use.
  2. 2 Posted by Kevin Stembridg... on 29 Oct, 2018 10:48 PM

    Kevin Stembridge's Avatar

    Hi hleofxquotes,

    Thanks for the advice. I'll look into those options.

    Cheers,
    Kevin

  3. Support Staff 3 Posted by Sean Reilly on 31 Oct, 2018 10:10 AM

    Sean Reilly's Avatar

    Hi Kevin,
    I'd definitely second hleofxquotes' "let's encrypt" suggestion. Moneydance also keeps it's own set of CA certs, so it wouldn't be a good idea (or even possible, for signed app bundles) to change that list.

    Thanks,

    Sean Reilly
    Developer, The Infinite Kind
    http://infinitekind.com

  4. 4 Posted by Kevin Stembridg... on 31 Oct, 2018 10:23 AM

    Kevin Stembridge's Avatar

    Hi Sean,

    Thanks for getting back to me.

    If I remember correctly, letsencrypt certificates need to be renewed every few months. I guess I could build something into the extension that would retrieve the current certificate.

    I'll have to give it some more thought.

    Cheers,
    Kevin

  5. Support Staff 5 Posted by Sean Reilly on 31 Oct, 2018 03:02 PM

    Sean Reilly's Avatar

    Hi Kevin,

    You do need to regenerate the certificate every 90 days (I think that's the current time interval) but you wouldn't need to include your certificate in the extension. The letsencrypt CA certificate is included with most https clients which is all the client would need.

    Thanks,
    Sean

  6. 6 Posted by Kevin Stembridg... on 31 Oct, 2018 03:44 PM

    Kevin Stembridge's Avatar

    ah, ok. Good to know.

    Thanks very much.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac