PKIX path building failed error persists on Oracle JDK

Question

The problem

EDIT: The first version of this question gave the impression that my problem had something to do with Maven. I rephrased to put more focus on the JDK.

I get the sun.security.provider.certpath.SunCertPathBuilderException: PKIX path building failed when trying to contact any SSL-enabled service using Java. Answers to other relevant questions did not stop the error for me.

The error appears both with any Maven task, such as below...

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-clean-plugin:2.5:clean (default-clean) on project foundation-ddl: Execution default-clean of goal org.apache.maven.plugins:maven-clean-plugin:2.5:clean failed: Plugin org.apache.maven.plugins:maven-clean-plugin:2.5 or one of its dependencies could not be resolved: Failed to collect dependencies at org.apache.maven.plugins:maven-clean-plugin:jar:2.5 -> org.apache.maven:maven-plugin-api:jar:2.0.6: Failed to read artifact descriptor for org.apache.maven:maven-plugin-api:jar:2.0.6: Could not transfer artifact org.apache.maven:maven-plugin-api:pom:2.0.6 from/to example (https://example.com/artifactory/repo/): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> [Help 1]

...Or if I execute a jar that contacts a SSL service

$ java -jar atlassian-bamboo-agent-installer-5.9.7.jar http://...

INFO   | jvm 1    | 2016/03/09 10:59:21 | 2016-03-09 10:59:21,381 FATAL [WrapperSimpleAppMain] [AgentBootstrap] Exiting due to fatal exception.
INFO   | jvm 1    | 2016/03/09 10:59:21 | javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:535)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at com.atlassian.bamboo.agent.bootstrap.AgentContext.initFingerprint(AgentContext.java:118)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at com.atlassian.bamboo.agent.bootstrap.AgentContext.initServerSession(AgentContext.java:103)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at com.atlassian.bamboo.agent.bootstrap.AgentContext.run(AgentContext.java:94)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at com.atlassian.bamboo.agent.bootstrap.AgentBootstrap.run(AgentBootstrap.java:95)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at com.atlassian.bamboo.agent.bootstrap.AgentBootstrap.main(AgentBootstrap.java:41)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at java.lang.reflect.Method.invoke(Method.java:498)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at org.tanukisoftware.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:240)
INFO   | jvm 1    | 2016/03/09 10:59:21 |   at java.lang.Thread.run(Thread.java:745)
INFO   | jvm 1    | 2016/03/09 10:59:21 | Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

What I tried

These answers to: Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
- https://stackoverflow.com/a/9619478/394397
- https://stackoverflow.com/a/12524960/394397
I used InstallCert to visit the hosts on which I get the exception, and I added the certificates to the trust store successfully. To verifiy, IntelliCert prints No errors, certificate is already trusted, but that didn't stop the error.
The fact Step 2 didn't stop the error made me think (in the Maven case) that Maven was using a different truststore. I used the answer to 'How to change maven java home' to make sure Maven was at least using the same Java instance I was thinking about (which is in Oracle JDK 1.8). This didn't change anything, so I'm now looking at the JDK.

The well-known ways to fix this issue don't seem to work. How can I stop the error, fix my JDK and finally use SSL-enabled services again?

I didn't change my JDK version on my system, if that's what you're asking. Are you referring to changing a JDK version in a file somewhere? — Sage Gerard, Mar 08 '16 at 19:45
Yes I was just curious because you mentioned that it use to work before. — Raghu K Nair, Mar 08 '16 at 19:48

score 2 · Accepted Answer · answered Mar 18 '16 at 19:52

2

After futile investigation I ended up purging and reinstalling the JDK, which resolved the issue. The version of the JDK did not change. For those of you reaching this page for this issue via Google, just do that and save yourself the dread.

answered Mar 18 '16 at 19:52

Sage Gerard

1,311
8
29

Same problem here. I guess somehow the JDK certs were not up to date? – Sam Goldberg Jan 28 '21 at 16:20

Raghu K Nair · Answer 2 · 2016-03-09T16:02:43.580

You should check JDK version you are using and install the Intermediate certificates as well as CAs (if it is self signed or internal signed ) into the JDK which maven is using. I think that resolve the problem.

removing ~/.m2/repository should not be the reason. make sure the has not changed the Certificate Recently.

You could even use the following maven options to locate your trust store and keystore.

MAVEN_OPTS="-Xmx512m -Djavax.net.ssl.trustStore=trust.jks \
                     -Djavax.net.ssl.trustStorePassword=  \
                     -Djavax.net.ssl.keyStore=/home/directory/mycertificate.p12 \
                     -Djavax.net.ssl.keyStoreType=pkcs12 \
                     -Djavax.net.ssl.keyStorePassword=XXXXXX"

Please refer to below URL it's good guide for Maven SSL configuration

https://maven.apache.org/guides/mini/guide-repository-ssl.html

Thank you for your contribution, but I have to edit my question due to new information. Also, I see your answer includes code from https://maven.apache.org/guides/mini/guide-repository-ssl.html. Could you please cite this in your answer? — Sage Gerard, Mar 09 '16 at 15:55
Could you try using explicit -Djavax.net.ssl.truststore while running through command line. — Raghu K Nair, Mar 09 '16 at 22:42

PKIX path building failed error persists on Oracle JDK

The problem

What I tried

2 Answers2