5

I am trying to connect to a url through my server that requires certificate. I have imported my Client Authentication Certificate to {JAVA_HOME}/jre/bin/security/cacerts and also i have placed it in the keystore in Jboss/bin and jboss/server/conf/ then i restarted my server and it is still giving me the folowing error.

Caused by: java.io.IOException: Could not transmit message
    at org.jboss.ws.core.client.HTTPRemotingConnection.invoke(HTTPRemotingConnection.java:265)
    at org.jboss.ws.core.client.SOAPProtocolConnectionHTTP.invoke(SOAPProtocolConnectionHTTP.java:71)
    at org.jboss.ws.core.CommonClient.invoke(CommonClient.java:340)
    at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:290)
    ... 40 more
Caused by: org.jboss.remoting.CannotConnectException: Can not connect http client invoker after 1 attempt(s)
    at org.jboss.remoting.transport.http.HTTPClientInvoker.makeInvocation(HTTPClientInvoker.java:249)
    at org.jboss.remoting.transport.http.HTTPClientInvoker.transport(HTTPClientInvoker.java:161)
    at org.jboss.remoting.MicroRemoteClientInvoker.invoke(MicroRemoteClientInvoker.java:165)
    at org.jboss.remoting.Client.invoke(Client.java:1724)
    at org.jboss.remoting.Client.invoke(Client.java:629)
    at org.jboss.ws.core.client.HTTPRemotingConnection.invoke(HTTPRemotingConnection.java:243)
    ... 43 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
    at org.jboss.remoting.transport.http.HTTPClientInvoker.getOutputStream(HTTPClientInvoker.java:1214)
    at org.jboss.remoting.transport.http.HTTPClientInvoker.useHttpURLConnection(HTTPClientInvoker.java:334)
    at org.jboss.remoting.transport.http.HTTPClientInvoker.makeInvocation(HTTPClientInvoker.java:231)
    ... 48 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
    at sun.security.validator.Validator.validate(Validator.java:218)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
    ... 62 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
    ... 68 more

I want to ask what can i do to fix it? Do i need to put another one of these in server.xml for this certificate:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150"
   scheme="https" secure="false" strategy="ms" address="${jboss.bind.address}"
   keystoreFile="${jboss.server.home.dir}/conf/.keystore"
   keystorePass="changeit" sslProtocol="TLS"
   truststoreFile="/usr/lib/jvm/java-6-sun-1.6.0.10/jre/lib/security/cacerts"
   truststorePass="*****"
   SSLImplementation="org.jsslutils.extra.apachetomcat6.JSSLutilsImplementation"
   acceptAnyCert="true" clientAuth="want" />

or am i making anyother mistake?

user2367636
  • 59
  • 1
  • 1
  • 4
  • Why use jSSLutils for this (why accept any cert here)? Why import your client cert into the default `cacerts`? Why specify the truststore with its default value anyway? Is it your server that should require a certificate or the remote server you're trying to access? – Bruno Jul 05 '13 at 15:13
  • What should i be doing to make it work? – user2367636 Jul 05 '13 at 15:38
  • If it's a remote server, your server is a *client*. It's your client code that you need to configure properly. Forget these unusual Connector settings. – Bruno Jul 05 '13 at 15:42
  • No, sorry. I am not sure about the remote server. so, My server is the server through which i am calling this url which requires a certificate. i only need certificate when i make a call to this url. Now i have to import this certificate to somewhere(i am not sure which directory or key store) so that when i try to access the url, it can use that certificate and enter the url. and then i can do what is required from that url. right now when it makes a call to the url, i get above mentioned error. Can you please explain where i should import that certificate and any other missing steps? – user2367636 Jul 05 '13 at 15:52
  • Yes, your server is in fact a *client* as far as this connection to the other server is concerned. Check whatever your webapp does. – Bruno Jul 05 '13 at 16:18
  • what do you mean by what my webapp does? and where do i import that certificate? – user2367636 Jul 05 '13 at 16:28
  • What happens here is a client problem. The client is the code running within your server, i.e. the webapp (under one form or another) running within the container. The settings you need to configure have nothing to do with the container, but with the code that makes this connection (whatever uses `org.jboss.ws.core.client`). – Bruno Jul 05 '13 at 16:31
  • those are woring fine i can see them in my logs. They are making request and everything. but certification path is the problem. – user2367636 Jul 05 '13 at 17:21
  • Your client code is obviously not working fine, since it's throwing those exceptions. The most likely cause is that it's not trusting the remote server certificate. – Bruno Jul 05 '13 at 17:27
  • how can i make my certificate trusted or put it in trusted certification group? Any idea or steps? thanks – user2367636 Jul 05 '13 at 18:49
  • I have the same problem, does anyone knows the solution of this? I put auth certificate and key in the keystoreFile and I put international CA and root CA in the truststoreFile but I have the same error. – grep Jun 03 '14 at 09:31
  • Possible duplicate of [Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target](https://stackoverflow.com/questions/6908948/java-sun-security-provider-certpath-suncertpathbuilderexception-unable-to-find) – nurb Feb 12 '19 at 09:28

4 Answers4

8

I know you said you already imported the certificate, but take a look at these steps to see if you missed a step somewhere:

Here's an overall summary of how to import certificates to fix the following error:

Error while trying to execute request. javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

How to import certificates

  1. Go to URL in your browser, click on HTTPS certificate chain (little lock symbol next to URL address) to export the certificate
    • Click "more info" > "security" > "show certificate" > "details" > "export..".
    • Save as .der
    • Repeat for any certificates you need to import
  2. Locate $JAVA_HOME/jre/lib/security/cacerts

  3. Import all *.der files into the cacerts file using the following:

    sudo keytool -import -alias mysitestaging -keystore $JAVA_HOME/jre/lib/security/cacerts -file staging.der
sudo keytool -import -alias mysiteprod -keystore  $JAVA_HOME/jre/lib/security/cacerts -file prod.der
sudo keytool -import -alias mysitedev -keystore  $JAVA_HOME/jre/lib/security/cacerts -file dev.der

  4. The default keystore password is 'changeit'

  5. You can view the change that you made with this command that shows the Certificate fingerprint.

    keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts

  6. If this doesn't solve the problem, try adding these java options as arguments:

    -Djavax.net.ssl.trustStore="$JAVA_HOME/jre/lib/security/cacerts"
-Djavax.net.ssl.trustStorePassword="changeit"
Katie
  • 45,622
  • 19
  • 93
  • 125
1

I was facing this issue because of the disabled TLSv1.2 protocol. I have solved it by adding TLSv1.2 in VM arguments. Below are the steps to enable protocol

You need to add this line in vm arguments -- > -Dhttps.protocols=TLSv1.1,TLSv1.2

Go to servers tab in eclipse >> double click on wildfly >> Open launch configuration >> paste above line in vm arguments in the end.

Prabjot Singh
  • 4,491
  • 8
  • 31
  • 51
0

For SSL Web service configuration we must make this steps:

1) insert CA certificates into a keystore you can put this to JVM or put this into the jre security directory, or you can import to the jre default keystore.

2) import authentification certificate with a key into the keystore (it might be java keystore or another one). keystore can be jks too, not only pkcs12. I have tested and jks works well too.

3) Tell JVM that you need that keystore - when we are starting Jboss. It can be something like this (in my case it looks like this):

> "-Dprogram.name=JBossTools: JBoss 4.0 CLONE OF ESS SERVER" -server
> -Xms256m -Xmx512m -XX:MaxPermSize=256m -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 "-Djava.endorsed.dirs=..\jboss-4.0.2\lib\endorsed"
> "-Djavax.net.ssl.keyStore=../Java/jdk1.6.0_45/jre/lib/security/cacerts"
> "-Djavax.net.ssl.keyStorePassword=changeit"

Also certificates can be der encodded or base 64. it means that you might need to convert certificates with open SSL and etc. Also another problem is that sometimes convertation might cause problems, so you can use such a script for more easy and flexible convertations.

grep
  • 5,465
  • 12
  • 60
  • 112
-2

If it is a client certificate, then you need to put it in your truststore; if it is a server certificate then it goes in your keystore. Also, in case your certificate has intermediate CA Certificates, you need to add them too.

nneonneo
  • 171,345
  • 36
  • 312
  • 383
Rajarshi Goswami
  • 356
  • 1
  • 9
  • Can you show how you are calling the url. Post the code in pastebin or somewhere similar. Can not connect http client invoker after 1 attempt - Shouldnot it be https? I think how you are invoking is wrong – Rajarshi Goswami Jun 11 '14 at 07:14