After I installed the Ephox Textbox.io editor in IBM Connections 5.5 as described here everything worked perfect in Firefox and Internet Explorer. However opening the editor in Google Chrome displayed the following error message “The spelling service was not found: (https://server.example.com/ephox-spelling/).”

If you look at a Fiddler trace you see that the request “https://server.example.com/ephox-spelling/1/correction” returns an Error 500.

Looking at the SystemOut.log of the server where you have Ephox spell checking deployed displays several error messages complaining about untrusted SSL certificates:

[ironbark-akka.actor.default-dispatcher-34] ERROR s.can.client.HttpClientConnection - Aborting encrypted connection to servername.example.com/xxx.xxx.xxx.xxx:443 due to [SSLHandshakeException:General SSLEngine problem] -> [SSLHandshakeException:General SSLEngine problem] -> [m:PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=*************** is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error] -> [CertPathBuilderException:PKIXCertPathBuilderImpl could not build a valid CertPath.] -> [CertPathValidatorException:The certificate issued by CN=*************** is not trusted] -> [CertPathValidatorException:Certificate chaining error]

.....

[ironbark-akka.actor.default-dispatcher-26] ERROR akka.actor.ActorSystemImpl - Error during processing of request HttpRequest(POST,https://servername.example.com/1/correction,List(Host: servername.example.com, Content-Length: 28, Pragma: no-cache, Cache-Control: no-cache, Origin: https://servername.example.com, User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36, Content-Type: application/json, DNT: 1, Referer: https://servername.example.com/wikis/home?lang=en, Accept-Encoding: gzip, deflate, Accept-Language: en, de;q=0.8, Cookie: LtpaToken2=****************; LtpaToken=***********; ROLE_global-moderator=true; ROLE_metrics-report-run=true; ROLE_admin=false; ROLE_mail-user=true; X-IC-Preload=true; JSESSIONID=**************; BAYEUX_BROWSER=b0e4uvkqur88n75uikp8s53pyxw; org.cometd.reload=******************, Surrogate-Capability: WS-ESI="ESI/1.0+", _WS_HAPRT_WLMVERSION: -1, Expect: 100-Continue),HttpEntity(application/json,{"words":[],"language":"en"}),HTTP/1.1)
spray.can.Http$ConnectionException: Aborted
at spray.can.client.HttpHostConnectionSlot.reportDisconnection(HttpHostConnectionSlot.scala:228) ~[spray-can_2.11-1.3.2.jar:na]
at spray.can.client.HttpHostConnectionSlot$$anonfun$connected$1.applyOrElse(HttpHostConnectionSlot.scala:161) ~[spray-can_2.11-1.3.2.jar:na]
at akka.actor.Actor$class.aroundReceive(Actor.scala:465) ~[akka-actor_2.11-2.3.9.jar:na]
at spray.can.client.HttpHostConnectionSlot.aroundReceive(HttpHostConnectionSlot.scala:33) ~[spray-can_2.11-1.3.2.jar:na]
at akka.actor.ActorCell.receiveMessage(ActorCell.scala:516) [akka-actor_2.11-2.3.9.jar:na]
at akka.actor.ActorCell.invoke(ActorCell.scala:487) [akka-actor_2.11-2.3.9.jar:na]
at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:254) [akka-actor_2.11-2.3.9.jar:na]
at akka.dispatch.Mailbox.run(Mailbox.scala:221) [akka-actor_2.11-2.3.9.jar:na]
at akka.dispatch.Mailbox.exec(Mailbox.scala:231) [akka-actor_2.11-2.3.9.jar:na]
at scala.concurrent.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260) [scala-library-2.11.6.jar:na]
at scala.concurrent.forkjoin.ForkJoinPool$WorkQueue.pollAndExecAll(ForkJoinPool.java:1253) [scala-library-2.11.6.jar:na]
at scala.concurrent.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1346) [scala-library-2.11.6.jar:na]
at scala.concurrent.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979) [scala-library-2.11.6.jar:na]
at scala.concurrent.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107) [scala-library-2.11.6.jar:na

Root cause:

The server used SSL certificates for which there was not Root resp. Intermediate Certificate present in the default Java trust store of the Websphere Java SDK. I needed to manually add both root and intermediate certificate to this trust store (you probably have already added these certificates to the Websphere Cell Default Truststore; but this is another one trust store!).

To do that, run the following commands on all Websphere Application Server nodes (you need to adapt the names and path names of your certificate files):

cd /opt/IBM/WebSphere/AppServer/java/jre/lib/security
../../bin/keytool -import -trustcacerts -alias StartSSL_Root -file /opt/INSTALL/SSL/root.crt -keystore cacerts -storepass changeit -noprompt
../../bin/keytool -import -trustcacerts -alias StartSSL_SubClass2Server -file /opt/INSTALL/SSL/sub.class2.server.sha2.ca.crt -keystore cacerts -storepass changeit -noprompt

After you have done that and restarted the Websphere Clusters, your Ephox Textbox.io editor should work also with Google Chrome.

SSL Certificate Issue with Ephox Textbox.io Editor in IBM Connections 5.5
Tagged on:         

3 thoughts on “SSL Certificate Issue with Ephox Textbox.io Editor in IBM Connections 5.5

  • 04.03.2016 at 18:11
    Permalink

    Thanks for documenting this. Worked nicely 🙂 Also, if using Windows then do not assume that “BOOT_DRIVE_LETTER:\opt\ephox\application.conf where BOOT_DRIVE_LETTER is the boot drive for your system” means the C drive. It really means the drive letter that WAS is installed on which in some cases is the D drive. If you set (like me) the wrong drive letter then you will see an error like “spray.can.Http$ConnectionAttemptFailedException: Connection attempt to localhost:8001 failed”

    Reply
  • 11.05.2016 at 15:24
    Permalink

    @Ben, thanks. Your tip fixed my issue for Chrome & TextBox.IO. Strange to see that his kind of server side configuration can break it for Chrome and that in IE & FF you have no issues.

    Reply

Leave a Reply to Tom Bosmans Cancel reply

Your email address will not be published. Required fields are marked *