"unable to find valid certification path to requested target", but browser says it's OK

Question

I'm developing a Java application that connects to SOAP services exposed at https://ut.eurodw.eu/ (test environment for European Datawarehouse). I'm working on my development machine, recently reformatted with Windows 8.1. Today, I tried to send them a creation request via SOAP from my program and got this error:

Caused by: javax.xml.ws.WebServiceException: Could not send Message.
    at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:146)
    at com.sun.proxy.$Proxy110.createDeal(Unknown Source)
    at it.csttech.edwin.services.spring.EdwinServiceImpl.createDeal(EdwinServiceImpl.java:102)
    at it.csttech.edwin.consumercredit.data.managers.spring.DealManagerImpl.createEdCode(DealManagerImpl.java:319)
    ... 77 more
Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://ut.eurodw.eu/edservices/2.2/DealService.svc: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1339)
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1323)
    at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
    at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:628)
    at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
    at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
    at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
    at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)
    ... 80 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1091)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
    at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:174)
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1283)
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1239)
    at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:201)
    at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
    at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1296)
    ... 90 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
    ... 108 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
    ... 114 more

As you can see by clicking my above link, that's no self-signed certificate, but released by GoDaddy public CA, recognized by my Firefox browser. My Java version is 1.7.0_60-b19. It will be a bad idea to modify the code in order to allow insecure SSL connections.

I'd like instead to ensure that eurodw's certificate is in the trust store. How do I check that? And how do I possibly import a new certificate?

PS I cannot currently test on the server where the final application is deployed: I can only use my own Tomcat installation.

Just figured out that Eurodw has renewed their certificate a few days ago — usr-local-ΕΨΗΕΛΩΝ, Oct 06 '14 at 08:50

score 47 · Accepted Answer · edited May 12 '22 at 08:28

47

The different certificates can be found in the following keystore :

%JAVA_HOME%/jre/lib/security/cacerts

If you want to list the trusted certificates :

keytool -list -keystore %JAVA_HOME%/jre/lib/security/cacerts

The password is optional to list.

If you want to add an entry :

First, export the certificate to import, let's say it will be c:\cert.crt. The best way to do it is using firefox, right-click on the lock picture in the URL, and after a few clicks, you have an export feature.

Then type :

keytool -import -alias my-cert -file c:\cert.crt -keystore %JAVA_HOME%/jre/lib/security/cacerts

The default password is: changeit

The alias is a user-defined label, choose it wisely, to remember if you need it one day, what it was.

With all this, you should be able to trust the certificate and have everything working again.

edited May 12 '22 at 08:28

Ahmed Ashour

5,179
10
35
56

answered Oct 03 '14 at 16:56

Francois Laroche

819
8
7

4

"%JAVA_HOME%/lib/security/cacerts" (with quotes) works for me. Will have to repeat the task @ customer site until Oracle releases an updated trust-list – usr-local-ΕΨΗΕΛΩΝ Oct 06 '14 at 09:12
you have to add the double quotes as @usr-local said – Chris Sim Oct 04 '16 at 07:47
2

I checked my build.gradle file, and checked what all repositories project was trying to access, opened those URLs in browser and did as mentioned by @Francois, tried it on Ubuntu, restarted Android studio project and it worked. If you are using windows7, to run keytool, you can go to run, type cmd and hit Ctrl+Shift+enter. This will open the command prompt in administrator mode, then look for keytool.exe in java folder. – Ali Ashraf Sep 13 '17 at 07:08
1

What if you don't have permission to "%JAVA_HOME%/lib/security/cacerts" because it's a work computer? – Matt Mar 16 '21 at 18:38

"unable to find valid certification path to requested target", but browser says it's OK

1 Answers1

Linked