Glassfish no longer logging? It’s probably due to expired certificates!

A few days ago i noticed my webapp running on glassfish wasn’t producing any log anymore  within eclipse. After mingling a bit with the log configuration, i finally decided to go for a fresh glassfish 5 setup, and again i had logging.

However, after a while i again lost my logging. And, although i’m not sure why, it seems that the expiration of SSL certificates turned out to be the cause.

2018-11-22T16:16:51.803+0100|Severe: The SSL certificate has expired: [
  Version: V3
  Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
  Key:  Sun RSA public key, 1024 bits
  modulus: 135786214035069526348186531221551781468391756233528066061569654028671100866720352830303278016129003918213826297308054231261658522889438712013757624116391437358730449661353175673177742307421061340003741057138887918110217006515773038453829253517076741780039735595086881329494037450587568122088113584549069375417
  public exponent: 65537
  Validity: [From: Sat Aug 22 18:41:51 CEST 1998,
               To: Wed Aug 22 18:41:51 CEST 2018]
  Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
  SerialNumber: [    35def4cf]
Certificate Extensions: 7
[1]: ObjectId: 1.2.840.113533.7.65.0 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 0D 30 0B 1B 05 56 33   2E 30 63 03 02 06 C0     ..0...V3.0c....
[2]: ObjectId: Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 48 E6 68 F9 2B D2 B2 95   D7 47 D8 23 20 10 4F 33  H.h.+....G.# .O3
0010: 98 90 9F D4                                        ....
[3]: ObjectId: Criticality=false
[4]: ObjectId: Criticality=false
CRLDistributionPoints [
     [CN=CRL1, OU=Equifax Secure Certificate Authority, O=Equifax, C=US]

Now, in order to get restore your logging, all you need to do is to remove the expired certificates from your glassfish configuration.

Follow these two steps:

  1. Navigate to your glassfish / domain / config directory.
    cd glassfish5\glassfish\domains\domain1\config
  2. Find out the ‘alias’ for the expired certificates mentioned in the log.
    keytool -v -list -keystore cacerts.jks
    * the above sample will resolve to ‘equifaxsecureca’
  3. Remove the certificate from glassfish
    keytool -delete -keystore cacerts.jks -alias equifaxsecureca -storePass changeit
  4. Restart glassfish, and observe you’re logging is back 🙂

Update 28 july 2019: I currently use the below scripot to remove outdated certificates from glassfish & payara in my docker scripts:

RUN			cd ${GLASSFISH_HOME}/glassfish/domains/domain1/config/ && \
			for cert in "equifaxsecureca" "gtecybertrustglobalca" "utnuserfirstclientauthemailca" "deutschetelekomrootca2" "secomvalicertclass1ca" "valicertclass2ca" "entrustsslca" "certplusclass2primaryca" "certplusclass3pprimaryca" "utndatacorpsgcca" "utnuserfirstobjectca" "utnuserfirstobjectca [jdk]" "utnuserfirsthardwareca" "cert_45_deutsche_telekom_root_ca_245" "cert_29_certplus_class_2_primary_ca29" "cert_38_deutsche_telekom_root_ca_238" "utnuserfirsthardwareca [jdk]" "certplusclass3pprimaryca [jdk]" "certplusclass2primaryca [jdk]" "utnuserfirstclientauthemailca [jdk]"; \
			do \
			keytool -delete -keystore cacerts.jks -alias "$cert" -storePass changeit || echo "nothing to remove";\

Leave a Reply

Your email address will not be published. Required fields are marked *