A few days ago i noticed my webapp running on glassfish wasn’t producing any log anymore within eclipse. After mingling a bit with the log configuration, i finally decided to go for a fresh glassfish 5 setup, and again i had logging.
However, after a while i again lost my logging. And, although i’m not sure why, it seems that the expiration of SSL certificates turned out to be the cause.
2018-11-22T16:16:51.803+0100|Severe: The SSL certificate has expired: [ [ Version: V3 Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 135786214035069526348186531221551781468391756233528066061569654028671100866720352830303278016129003918213826297308054231261658522889438712013757624116391437358730449661353175673177742307421061340003741057138887918110217006515773038453829253517076741780039735595086881329494037450587568122088113584549069375417 public exponent: 65537 Validity: [From: Sat Aug 22 18:41:51 CEST 1998, To: Wed Aug 22 18:41:51 CEST 2018] Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US SerialNumber: [ 35def4cf] Certificate Extensions: 7 [1]: ObjectId: 1.2.840.113533.7.65.0 Criticality=false Extension unknown: DER encoded OCTET string = 0000: 04 0D 30 0B 1B 05 56 33 2E 30 63 03 02 06 C0 ..0...V3.0c.... [2]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 48 E6 68 F9 2B D2 B2 95 D7 47 D8 23 20 10 4F 33 H.h.+....G.# .O3 0010: 98 90 9F D4 .... ] ] [3]: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] [4]: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [CN=CRL1, OU=Equifax Secure Certificate Authority, O=Equifax, C=US]
Now, in order to get restore your logging, all you need to do is to remove the expired certificates from your glassfish configuration.
Follow these two steps:
- Navigate to your glassfish / domain / config directory.
cd glassfish5\glassfish\domains\domain1\config - Find out the ‘alias’ for the expired certificates mentioned in the log.
keytool -v -list -keystore cacerts.jks
* the above sample will resolve to ‘equifaxsecureca’ - Remove the certificate from glassfish
keytool -delete -keystore cacerts.jks -alias equifaxsecureca -storePass changeit - Restart glassfish, and observe you’re logging is back 🙂
Update 28 july 2019: I currently use the below scripot to remove outdated certificates from glassfish & payara in my docker scripts:
RUN cd ${GLASSFISH_HOME}/glassfish/domains/domain1/config/ && \ for cert in "equifaxsecureca" "gtecybertrustglobalca" "utnuserfirstclientauthemailca" "deutschetelekomrootca2" "secomvalicertclass1ca" "valicertclass2ca" "entrustsslca" "certplusclass2primaryca" "certplusclass3pprimaryca" "utndatacorpsgcca" "utnuserfirstobjectca" "utnuserfirstobjectca [jdk]" "utnuserfirsthardwareca" "cert_45_deutsche_telekom_root_ca_245" "cert_29_certplus_class_2_primary_ca29" "cert_38_deutsche_telekom_root_ca_238" "utnuserfirsthardwareca [jdk]" "certplusclass3pprimaryca [jdk]" "certplusclass2primaryca [jdk]" "utnuserfirstclientauthemailca [jdk]"; \ do \ keytool -delete -keystore cacerts.jks -alias "$cert" -storePass changeit || echo "nothing to remove";\ done