javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

Java / SSL

I was getting this error when trying to write a test case using JWebUnit, which uses HtmlUnit.

8097 [main] ERROR c.g.htmlunit.html.HtmlPage - Error loading JavaScript from [https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js].
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
	at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352) ~[na:1.6]
	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) ~[httpclient-4.1.2.jar:4.1.2]
	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397) ~[httpclient-4.1.2.jar:4.1.2]
	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148) ~[httpclient-4.1.2.jar:4.1.2]
	at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149) ~[httpclient-4.1.2.jar:4.1.2]
	at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121) ~[httpclient-4.1.2.jar:4.1.2]
	at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:573) ~[httpclient-4.1.2.jar:4.1.2]

This may occur for a number of reasons:

Enable SSL debugging

Set the javax.net.debug=ssl system property.

For example, adding the following to setenv.bat for Tomcat:

set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.debug=ssl

You are using a self-signed certificate

You can import the self-signed certificate into an existing store by using the keytool -import tool.

You are not reusing the existing certificate authorities

By default, creating a new keystore will not reuse the existing list of certificate authorities. You can copy the local cacerts list of authorities and add certificates directly to this keystore; the default keystore password is changeit.

A different certificate is being provided

To export a copy of the SSL certificate provided by a particular URL, use the command openssl s_client -showcerts -connect google.de:443 </dev/null. You can then copy the certificate directly from here into a new certificate file.