Ключевое слово в защите информации
КЛЮЧЕВОЕ СЛОВО
в защите информации
Получить ГОСТ TLS-сертификат для домена (SSL-сертификат)
Добро пожаловать, Гость! Чтобы использовать все возможности Вход или Регистрация.

Уведомление

Icon
Error

Опции
К последнему сообщению К первому непрочитанному
Offline Blair  
#1 Оставлено : 25 ноября 2020 г. 14:48:30(UTC)
Blair

Статус: Новичок

Группы: Участники
Зарегистрирован: 25.11.2020(UTC)
Сообщений: 3
Российская Федерация
Откуда: Москва

При попытке подписать данные пользовательским ключом, сгенерированным УЦ КриптоПро, возникает ошибка:
Ошибка взаимодействия с сервером УСП: 16 Root certificate: sn 278a81a01f7aaedbc418c69a4b26871d6, subject CN=УЦ КРИПТО-ПРО (ГОСТ 2012), O="ООО \"КРИПТО-ПРО\"", L=Москва, ST=Москва, C=RU, EMAILADDRESS=cpca@cryptopro.ru, issuer CN=УЦ КРИПТО-ПРО (ГОСТ 2012), O="ООО \"КРИПТО-ПРО\"", L=Москва, ST=Москва, C=RU, EMAILADDRESS=cpca@cryptopro.ru is untrusted; error codes: [32] 'Root certificate is in the certificate chain but not in cacerts'

Фрагмент консоли лога запуска приложения:
11.19.2020 20:55:12.769 Validating certificate CN=ПАО Банк ЗЕНИТ, C=RU, ST=77 г. Москва, L=Москва, STREET="УЛИЦА ОДЕССКАЯ, ДОМ 2", O=ПАО Банк ЗЕНИТ, OID.1.2.643.100.1=#120D31303237373339303536393237, OID.1.2.643.3.131.1.1=#120C303037373239343035383732
11.19.2020 20:55:12.769
ru.id_sys.ds_server.exception.DataProcessingException: ru.id_sys.ds_server.exception.SystemException: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

root@USP-SRV:/opt/usp#
root@USP-SRV:/opt/usp# java -jar ds_server_2.jar stop
11.19.2020 21:22:57.089 Application properties was loaded successfully
ноя 19, 2020 9:22:57 PM ru.CryptoPro.JCSP.MSCAPI.cl_6 enumInstalledProviders
INFO: Provider with type 24 not found.
ноя 19, 2020 9:22:57 PM ru.CryptoPro.JCSP.MSCAPI.cl_6 enumInstalledProviders
INFO: Provider with type 24 not found.
11.19.2020 21:22:57.894 SmevTransformSpi has been initialized
11.19.2020 21:22:57.896 Certificate validator of class DefaultCertValidator instantiated
11.19.2020 21:22:57.911
java.net.BindException: Адрес уже используется
at sun.nio.ch.Net.bind0(Native Method)
at sun.nio.ch.Net.bind(Net.java:433)
at sun.nio.ch.Net.bind(Net.java:425)
at sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:220)
at java.nio.channels.ServerSocketChannel.bind(ServerSocketChannel.java:157)
at ru.id_sys.ds_server.socket_exchange.DSServerReceiver.run(DSServerReceiver.java:66)
at java.lang.Thread.run(Thread.java:748)

Результат выполнения команды: keytool –list -v –keystore /usr/lib/jvm/java-8-gosjava-amd64/jre/lib/security/cacerts -storepass changeit | grep -i alias

root@USP-SRV:/opt/usp# keytool -list -v -keystore /usr/lib/jvm/java-8-gosjava-amd64/jre/lib/security/cacerts -storepass changeit | grep -i alias
ноя 20, 2020 7:50:51 PM ru.CryptoPro.JCSP.MSCAPI.cl_6 enumInstalledProviders
INFO: Provider with type 24 not found.
ноя 20, 2020 7:50:51 PM ru.CryptoPro.JCSP.MSCAPI.cl_6 enumInstalledProviders
INFO: Provider with type 24 not found.
Alias name: debian:pscprocert.pem
Alias name: debian:buypass_class_3_ca_1.pem
Alias name: debian:chambers_of_commerce_root_-_2008.pem
Alias name: debian:ca_disig_root_r2.pem
Alias name: debian:affirmtrust_premium.pem
Alias name: debian:juur-sk.pem
Alias name: debian:ebg_elektronik_sertifika_hizmet_sağlayıcısı.pem
Alias name: debian:geotrust_universal_ca_2.pem
Alias name: debian:swisscom_root_ev_ca_2.pem
Alias name: debian:applicationca_-_japanese_government.pem
Alias name: debian:accvraiz1.pem
Alias name: debian:security_communication_rootca2.pem
Alias name: debian:swisscom_root_ca_2.pem
Alias name: debian:secure_global_ca.pem
Alias name: debian:xramp_global_ca_root.pem
Alias name: debian:camerfirma_chambers_of_commerce_root.pem
Alias name: debian:turktrust_certificate_services_provider_root_2007.pem
Alias name: debian:thawte_primary_root_ca_-_g2.pem
Alias name: debian:a-trust-nqual-03.pem
Alias name: debian:certum_root_ca.pem
Alias name: debian:netlock_notary_=class_a=_root.pem
Alias name: debian:acedicom_root.pem
Alias name: debian:certsign_root_ca.pem
Alias name: debian:verisign_class_2_public_primary_certification_authority_-_g3.pem
Alias name: debian:go_daddy_root_certificate_authority_-_g2.pem
Alias name: debian:tübi̇tak_uekae_kök_sertifika_hizmet_sağlayıcısı_-_sürüm_3.pem
Alias name: debian:verisign_class_3_public_primary_certification_authority_2.pem
Alias name: debian:global_chambersign_root_-_2008.pem
Alias name: debian:thawte_premium_server_ca.pem
Alias name: debian:root_ca_generalitat_valenciana.pem
Alias name: debian:entrust.net_secure_server_ca.pem
Alias name: debian:addtrust_public_services_root.pem
Alias name: debian:tc_trustcenter_class_2_ca_ii.pem
Alias name: debian:comodo_aaa_services_root.pem
Alias name: debian:geotrust_primary_certification_authority_-_g3.pem
Alias name: debian:cacert.org.pem
Alias name: debian:globalsign_root_ca_-_r3.pem
Alias name: debian:turktrust_certificate_services_provider_root_1.pem
Alias name: debian:ca_disig.pem
Alias name: debian:buypass_class_3_root_ca.pem
Alias name: debian:e-tugra_certification_authority.pem
Alias name: debian:igc_a.pem
Alias name: debian:verisign_class_1_public_primary_certification_authority.pem
Alias name: debian:comodo_trusted_services_root.pem
Alias name: debian:rsa_security_2048_v3.pem
Alias name: debian:comodo_certification_authority.pem
Alias name: debian:addtrust_external_root.pem
Alias name: debian:certum_trusted_network_ca.pem
Alias name: debian:comodo_secure_services_root.pem
Alias name: debian:tc_trustcenter_class_3_ca_ii.pem
Alias name: debian:verisign_class_3_public_primary_certification_authority_-_g4.pem
Alias name: debian:baltimore_cybertrust_root.pem
Alias name: debian:staat_der_nederlanden_root_ca_-_g2.pem
Alias name: debian:equifax_secure_global_ebusiness_ca.pem
Alias name: cryptopro_users
Alias name: debian:rsa_root_certificate_1.pem
Alias name: debian:ca_disig_root_r1.pem
Alias name: debian:ee_certification_centre_root_ca.pem
Alias name: debian:verisign_universal_root_certification_authority.pem
Alias name: debian:securetrust_ca.pem
Alias name: debian:ac_raíz_certicámara_s.a..pem
Alias name: debian:gte_cybertrust_global_root.pem
Alias name: debian:quovadis_root_ca_3.pem
Alias name: debian:wellssecure_public_root_certificate_authority.pem
Alias name: debian:digicert_assured_id_root_ca.pem
Alias name: debian:epki_root_certification_authority.pem
Alias name: debian:swisscom_root_ca_1.pem
Alias name: debian:security_communication_root_ca.pem
Alias name: debian:digital_signature_trust_co._global_ca_1.pem
Alias name: debian:cybertrust_global_root.pem
Alias name: debian:verisign_class_3_public_primary_certification_authority.pem
Alias name: testrtk
Alias name: debian:comsign_secured_ca.pem
Alias name: debian:verisign_class_2_public_primary_certification_authority_-_g2.pem
Alias name: debian:geotrust_universal_ca.pem
Alias name: cryptopro_root
Alias name: debian:go_daddy_class_2_ca.pem
Alias name: debian:d-trust_root_class_3_ca_2_2009.pem
Alias name: debian:spi-ca-2003.pem
Alias name: debian:geotrust_primary_certification_authority_-_g2.pem
Alias name: debian:oiste_wisekey_global_root_ga_ca.pem
Alias name: debian:swisssign_silver_ca_-_g2.pem
Alias name: debian:globalsign_root_ca_-_r2.pem
Alias name: testsmev
Alias name: debian:addtrust_qualified_certificates_root.pem
Alias name: debian:cnnic_root.pem
Alias name: debian:deutsche_telekom_root_ca_2.pem
Alias name: debian:affirmtrust_commercial.pem
Alias name: debian:valicert_class_1_va.pem
Alias name: debian:equifax_secure_ebusiness_ca_1.pem
Alias name: cryptopro
Alias name: debian:utn_datacorp_sgc_root_ca.pem
Alias name: debian:tdc_internet_root_ca.pem
Alias name: debian:certinomis_-_autorité_racine.pem
Alias name: debian:netlock_qualified_=class_qa=_root.pem
Alias name: debian:izenpe.com.pem
Alias name: debian:securesign_rootca11.pem
Alias name: debian:t-telesec_globalroot_class_3.pem
Alias name: debian:verisign_class_3_public_primary_certification_authority_-_g3.pem
Alias name: debian:geotrust_primary_certification_authority.pem
Alias name: debian:ca.pem
Alias name: debian:sg_trust_services_racine.pem
Alias name: debian:startcom_certification_authority_g2.pem
Alias name: debian:sonera_class_1_root_ca.pem
Alias name: debian:startcom_certification_authority_2.pem
Alias name: debian:security_communication_ev_rootca1.pem
Alias name: debian:quovadis_root_ca_2.pem
Alias name: debian:atos_trustedroot_2011.pem
Alias name: debian:digicert_high_assurance_ev_root_ca.pem
Alias name: debian:starfield_root_certificate_authority_-_g2.pem
Alias name: debian:d-trust_root_class_3_ca_2_ev_2009.pem
Alias name: debian:trustis_fps_root_ca.pem
Alias name: debian:starfield_services_root_certificate_authority_-_g2.pem
Alias name: debian:comodo_ecc_certification_authority.pem
Alias name: debian:affirmtrust_premium_ecc.pem
Alias name: debian:swisssign_platinum_ca_-_g2.pem
Alias name: debian:dst_root_ca_x3.pem
Alias name: debian:utn_userfirst_hardware_root_ca.pem
Alias name: debian:starfield_class_2_ca.pem
Alias name: debian:s-trust_authentication_and_encryption_root_ca_2005_pn.pem
Alias name: debian:america_online_root_certification_authority_2.pem
Alias name: debian:china_internet_network_information_center_ev_certificates_root.pem
Alias name: debian:verisign_class_1_public_primary_certification_authority_-_g3.pem
Alias name: debian:teliasonera_root_ca_v1.pem
Alias name: debian:autoridad_de_certificacion_firmaprofesional_cif_a62634068.pem
Alias name: debian:twca_global_root_ca.pem
Alias name: debian:tc_trustcenter_universal_ca_i.pem
Alias name: debian:camerfirma_global_chambersign_root.pem
Alias name: debian:network_solutions_certificate_authority.pem
Alias name: debian:quovadis_root_ca.pem
Alias name: debian:taiwan_grca.pem
Alias name: rootcrpt
Alias name: debian:globalsign_root_ca.pem
Alias name: rootcrpr
Alias name: debian:valicert_class_2_va.pem
Alias name: debian:visa_ecommerce_root.pem
Alias name: debian:ssl-cert-snakeoil.pem
Alias name: debian:addtrust_low-value_services_root.pem
Alias name: debian:comsign_ca.pem
Alias name: debian:entrust_root_certification_authority.pem
Alias name: debian:digital_signature_trust_co._global_ca_3.pem
Alias name: debian:certigna.pem
Alias name: debian:netlock_express_=class_c=_root.pem
Alias name: zenit3
Alias name: zenit2
Alias name: debian:thawte_primary_root_ca_-_g3.pem
Alias name: debian:dst_aces_ca_x6.pem
Alias name: debian:t-telesec_globalroot_class_2.pem
Alias name: debian:buypass_class_2_ca_1.pem
Alias name: debian:hellenic_academic_and_research_institutions_rootca_2011.pem
Alias name: debian:verisign_class_3_public_primary_certification_authority_-_g2.pem
Alias name: debian:affirmtrust_networking.pem
Alias name: debian:spi-cacert-2008.pem
Alias name: debian:microsec_e-szigno_root_ca_2009.pem
Alias name: debian:thawte_primary_root_ca.pem
Alias name: debian:ec-acc.pem
Alias name: debian:netlock_arany_=class_gold=_főtanúsítvány.pem
Alias name: debian:certplus_class_2_primary_ca.pem
Alias name: debian:netlock_business_=class_b=_root.pem
Alias name: debian:entrust.net_premium_2048_secure_server_ca.pem
Alias name: debian:geotrust_global_ca.pem
Alias name: debian:utn_userfirst_email_root_ca.pem
Alias name: debian:twca_root_certification_authority.pem
Alias name: debian:digicert_global_root_ca.pem
Alias name: debian:buypass_class_2_root_ca.pem
Alias name: debian:turktrust_certificate_services_provider_root_2.pem
Alias name: debian:actalis_authentication_root_ca.pem
Alias name: debian:hongkong_post_root_ca_1.pem
Alias name: debian:swisssign_gold_ca_-_g2.pem
Alias name: debian:thawte_server_ca.pem
Alias name: debian:equifax_secure_ca.pem
Alias name: debian:e-guven_kok_elektronik_sertifika_hizmet_saglayicisi.pem
Alias name: debian:staat_der_nederlanden_root_ca.pem
Alias name: debian:geotrust_global_ca_2.pem
Alias name: debian:sonera_class_2_root_ca.pem
Alias name: debian:verisign_class_4_public_primary_certification_authority_-_g3.pem
Alias name: debian:microsec_e-szigno_root_ca.pem
Alias name: debian:startcom_certification_authority.pem
Alias name: debian:america_online_root_certification_authority_1.pem
Alias name: debian:verisign_class_3_public_primary_certification_authority_-_g5.pem
Alias name: debian:verisign_class_1_public_primary_certification_authority_-_g2.pem
root@USP-SRV:/opt/usp#

Не можем понять почему сертификат не проходит проверку.

ОС: Astra Linux SE 1.5 (Smolensk)
JCP: 2.0.40424
КриптоПро Java CSP v.5.0.40424

Отредактировано пользователем 25 ноября 2020 г. 15:25:15(UTC)  | Причина: Не указана

Offline Евгений Афанасьев  
#2 Оставлено : 25 ноября 2020 г. 16:38:26(UTC)
Евгений Афанасьев

Статус: Сотрудник

Группы: Участники
Зарегистрирован: 06.12.2008(UTC)
Сообщений: 3,910
Российская Федерация
Откуда: Крипто-Про

Сказал(а) «Спасибо»: 20 раз
Поблагодарили: 685 раз в 646 постах
Здравствуйте.
Автор: Blair Перейти к цитате
Root certificate: sn 278a81a01f7aaedbc418c69a4b26871d6, subject CN=УЦ КРИПТО-ПРО (ГОСТ 2012), O="ООО \"КРИПТО-ПРО\"", L=Москва, ST=Москва, C=RU, EMAILADDRESS=cpca@cryptopro.ru, issuer CN=УЦ КРИПТО-ПРО (ГОСТ 2012), O="ООО \"КРИПТО-ПРО\"", L=Москва, ST=Москва, C=RU, EMAILADDRESS=cpca@cryptopro.ru is untrusted; error codes: [32] 'Root certificate is in the certificate chain but not in cacerts'

Данный корневой сертификат не установлен в cacerts. Нужно учитывать, что корневой с именем CN=УЦ КРИПТО-ПРО (ГОСТ 2012) может существовать в УЦ не в единственном экземпляре.

RSS Лента  Atom Лента
Пользователи, просматривающие эту тему
Быстрый переход  
Вы не можете создавать новые темы в этом форуме.
Вы не можете отвечать в этом форуме.
Вы не можете удалять Ваши сообщения в этом форуме.
Вы не можете редактировать Ваши сообщения в этом форуме.
Вы не можете создавать опросы в этом форуме.
Вы не можете голосовать в этом форуме.