I love when a perfectly working application suddenly begins complaining about:
ORA-29024: Certificate validation failure
Last year it took me a while to fix it as I had to figure out how to cope with the absence of a wallet manager on Oracle XE.
Now things were different.
I began searching OTN forums for other poor souls enduring the same hardships but it looks like I was the only one.
Curious to see how often this happens to me.
Well, I don't want to make this story longer than necessary, because initially I was misled by the fact that one of these default trusted certificates was expired and for some reason I thought it was the cause of the problem, but it wasn't.
It turns out that at Oracle.com yesterday someone must have changed the SSL certification authority or whatever it's called and as a result the trusted certificates installed with Oracle 11gR1 don't work any more when accessing servers in the oracle.com domain via HTTPS from within PL/SQL procedures (using UTL_HTTP).
After a while I realized that if I can still access them using Firefox it means that the trusted certificates installed with Firefox must be sufficient.
|Firefox's certificate viewer shows Oracle's certificate chain|
After inspecting the trusted certificate chain being used by clicking on the lock symbol in the address bar of Firefox, I exported each and every certificate in the chain in X.509 format (as single certificates, not the chain) and later I imported them in the wallet using the utility orapki (this action must be carried out on a full fledged Oracle Database Server edition, NOT XE where orapki is not included), starting with the certificate that lies on top and working bottomwards.
orapki wallet add -wallet /etc/oracle/owm -trusted_cert -cert CAroot.cer orapki wallet add -wallet /etc/oracle/owm -trusted_cert -cert COMODO.cer orapki wallet add -wallet /etc/oracle/owm -trusted_cert -cert oracle.com.cer
After updating cwallet.sso and ewallet.p12 and bouncing the database, my services resumed working correctly.
So far so good, in the end it took me just 4 hours to become an improvised "expert" of trusted certificate chains replacements.
Funnily enough, today it looks like the access to www.oracle.com doesn't need anymore HTTPS (I swear yesterday they did!), while forums still do.
I'd love to know what happened yesterday behind the curtains.
See message translations for ORA-29024 and search additional resources.