23

Yet again, the dreary Problem of SSLPeerUnverified, but I'm not using self signed certificates. I try to connect to a host using https. This host has a correct certificate, neither Firefox nor HttpsUrlConnection has any problems with it. However trying to connect using HttpClient, I get the dreaded exception.

Any clues? Or tip where to look closer?

Thanks!

Edit: Debug output

main, handling exception: 

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target

main, IOException in getSession(): 

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target
Leos Literak
  • 8,805
  • 19
  • 81
  • 156
JavaJens
  • 360
  • 1
  • 3
  • 14

1 Answers1

40

It seems that you need to import the certificate into the trusted keystore your JVM is using. If you are not using a different trusted keystore in your application this will be "cacerts".

You can follow a step by step guide at "How to Fix 'SSLPeerUnverifiedException: peer not authenticated' Exception in Groovy / Java ".

Short version:

  1. Run the following command, replace $ADDRESS with the URL, minus the "https://":

    echo -n | openssl s_client -connect $ADDRESS:443 | \
  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/$ADDRESS.cert

  2. Run the following command, replace $ALIAS a short name for the key, $ADDRESS with the cert name from above, $PATH with the path to cacerts in your JRE.

     sudo keytool -importcert -alias "$ALIAS" -file /tmp/$ADDRESS.cert \
   -keystore $PATH/cacerts -storepass changeit
ElOjcar
  • 301
  • 2
  • 4
  • 12
AlexEvade
  • 579
  • 4
  • 3