Nihii Respected Contributor.
Respected Contributor.
447 views

SSPR 5032 Error

Hello,

We upgraded our Vault to 4.7.2 and User App 4.7.2, SSPR 4.3.0.5 on RHEL7.6. SSPR works fine if I dont add reCaptcha. But if I use reCaptcha, I am having following error in browser

SSPR 5032


An error occurred while validating CAPTCHA response. Please close your browser and try again. If this error occurs repeatedly contact your help desk.


Catalina.out:

2019-05-06T11:18:08Z, FATAL, servlet.AbstractPwmServlet, {57} unexpected error: 5032 ERROR_CAPTCHA_API_ERROR (unexpected error during reCaptcha API execution: 5057 ERROR_SERVICE_UNREACHABLE (error while making http request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)) [172.18.87.134]
2019-05-06T11:18:08Z, ERROR, http.PwmResponse, {57} 5032 ERROR_CAPTCHA_API_ERROR (unexpected error during reCaptcha API execution: 5057 ERROR_SERVICE_UNREACHABLE (error while making http request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)) [172.18.87.134]

Any advice?
0 Likes
4 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: SSPR 5032 Error

On 05/06/2019 02:04 PM, ngujjula wrote:
>
> We upgraded our Vault to 4.7.2 and User App 4.7.2, SSPR 4.3.0.5 on
> RHEL7.6. SSPR works fine if I dont add reCaptcha. But if I use


Presumably if you had customized Java's truststore before you lost those
changes. Did you copy the truststore from the old system to the new one
(for SSPR in particular)?

> reCaptcha, I am having following error in browser
>
> *SSPR 5032
>
> An error occurred while validating CAPTCHA response. Please close your
> browser and try again. If this error occurs repeatedly contact your help
> desk.*
>
> _Catalina.out:
> _
> 2019-05-06T11:18:08Z, FATAL, servlet.AbstractPwmServlet, {57} unexpected
> error: 5032 ERROR_CAPTCHA_API_ERROR (unexpected error during reCaptcha
> API execution: 5057 ERROR_SERVICE_UNREACHABLE (error while making http
> request: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target))
> [172.18.87.134]
> 2019-05-06T11:18:08Z, ERROR, http.PwmResponse, {57} 5032
> ERROR_CAPTCHA_API_ERROR (unexpected error during reCaptcha API
> execution: 5057 ERROR_SERVICE_UNREACHABLE (error while making http
> request: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target))
> [172.18.87.134]


I usually see these errors about "PKIX path build failed" when the server
certificate (in this case perhaps the one for Google since they host the
reCAPTCHA service) cannot be chained back to a trusted root certificate in
the local service's truststore. In your case, that is probably a cacerts
file within a Java runtime, but it could be customized to be something
else. Anyway, that's what it looks like to me. If you use tcpdump to
capture a LAN/wire trace you may see an attempted TLS/SSL handshake cut
short at this point, and that would also give you a good pointer toward
the problem, though you seem to have it narrowed down pretty well already.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Nihii Respected Contributor.
Respected Contributor.

Re: SSPR 5032 Error

From 4.7.2 version we are using tomcat.ks. Probably this is where it cannot verify the certificate.

TCPDUMP:

1033 60.564775 10.**.**.** 172.217.4.68 TLSv1.2 73 Alert (Level: Fatal, Description: Certificate Unknown)
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: SSPR 5032 Error

Yup, that looks like the alert, and that 172.217.4.68 address resolve to
Google, so this looks like your side telling Google it is not trusted. If
you export the root certificate from there and import it into your
truststore then that may clear things up (with a restart of Apache Tomcat
to apply the change, of course). I created a cert-fetcher tool once upon
a time to get root certificates which may be useful for this:

https://community.microfocus.com/t5/eDirectory-Tips-Information/certfetcher-The-easy-way-to-grab-public-key-certificates-from/ta-p/1774530

There are other ways to get the trusted roots, of course, but that's just
a tool created to try to simplify life by allowing you to just point in
the IP and port and pull a root cert directly.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Nihii Respected Contributor.
Respected Contributor.

Re: SSPR 5032 Error

Thanks ab, imported the root certificate into tomcat.ks this resolved the issue.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.