0

Am getting the below exception.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:

I installed the certificates in below 2 ways.

  1. Using InstallCert.java "domain.com"
  2. Using Keytool - import.

but still am getting the above SSL handshake exception from my application.

Is there anything that i need to add for tomcat also?

Please help me. we are working on this from past two days. Thanks in advance.

Thanks, Harsha.

user3569397
  • 27
  • 1
  • 8
  • How are you connecting to your server ? you have created your own truststore or using the jre cacerts ? could you provide the stack trace – jMounir Apr 29 '15 at 15:12
  • We are connecting through Rest webservice – user3569397 Apr 29 '15 at 15:38
  • URL postURL = new URL(pfiURL); conn = (HttpsURLConnection) postURL.openConnection(); – user3569397 Apr 29 '15 at 15:40
  • Below is the stack trace.. javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181) at – user3569397 Apr 29 '15 at 15:41
  • Are you sure that you have added the server certificate to the correct truststore? try to be sure that you don't have multiple jre/jdk installed on your computure to not be lost which one is used. verify also that you are not launching the client with its own truststore – jMounir Apr 29 '15 at 15:53
  • yes, i have added it to the correct trust store. I checked it by listing the all the trusted certificates in both jssecacerts and cacerts. – user3569397 Apr 29 '15 at 16:12
  • i checked it by using keytool -list -v -keystore "%JAVA_HOME/jre/lib/security/cacerts%" > test.txt – user3569397 Apr 29 '15 at 16:13
  • Also, i have installed in both cacerts and jssecacerts file. would it cause any issue, if i installed it in both the files. – user3569397 Apr 29 '15 at 16:16
  • I'll add a code snippet if it could help as response. – jMounir Apr 29 '15 at 16:30
  • Thanks alot for your help, I just deleted the certificates in both of the files cacerts and jssecacerts and reinstalled it in only one place. Now it is working fine. Thanks alot for your help. – user3569397 Apr 29 '15 at 17:56

2 Answers2

0

Check if the certificate is in the Manage Trusted Root Certificates. if you click on the certificate and say is not secure, then you need to add into the Manage Trusted Root Certificates.

Then if you are using Eclipse or similar to work, you need to put the jsscacert file(made by installCert.java) into %JAVA_HOME%\jdk_version\jre\lib\security and add this in the path of eclipse

-Djavax.net.ssl.trustStore="PATH_TO_jssecacerts"

El0din
  • 3,208
  • 3
  • 20
  • 31
-1

Here is a code snippet taken from the post Using a custom truststore in java as well as the default one I just removed an additional trustmanager that you can add if you want to use your own truststore

   TrustManagerFactory tmf = TrustManagerFactory
     .getInstance(TrustManagerFactory.getDefaultAlgorithm());
   // Using null here initialises the TMF with the default trust store.
   tmf.init((KeyStore) null);

   // Get hold of the default trust manager
   X509TrustManager defaultTm = null;
   for (TrustManager tm : tmf.getTrustManagers()) {
    if (tm instanceof X509TrustManager) {
     defaultTm = (X509TrustManager) tm;
     break;
    }
   }
   //

   

   SSLContext sslContext = SSLContext.getInstance("TLS");
   sslContext.init(null, new TrustManager[] { defaultTm }, null);

   // You don't have to set this as the default context,
   // it depends on the library you're using.
   SSLContext.setDefault(sslContext);

   
   // Not sure that you need this but add it
   HttpsURLConnection.setDefaultSSLSocketFactory(sslContext
     .getSocketFactory());

You must connect with this otherwise your default truststore does not contain the server certificate so you can then create yours and load it. see the post i've provided.

You can check if the server certificate is accepted by calling the function getAcceptedIssuers() of your X509TrustManager "customTm"

Good luck

Community
  • 1
  • 1
jMounir
  • 495
  • 2
  • 11
  • By removing the second trust manager you have posted code that accomplishes precisely nothing that wouldn't happen by default. – user207421 Apr 30 '15 at 10:27
  • I know but I just wanted to show how he can deal with the truststore, so he can modify or add his own. another thing intersting is the ability to easily debug the code so he can display and search for the trusted certificates to be sure that he on the right road. take a look to my comments on his post you will undestand that i posted this just a support not as real response cause code is not readable on comments – jMounir Apr 30 '15 at 14:15