0

Attempting to download https://writing.kemitchell.com/2016/09/21/MIT-License-Line-by-Line.html using code : 

Source.fromURL("https://writing.kemitchell.com/2016/09/21/MIT-License-Line-by-Line.html", "ISO-8859-1").mkString

throws exception :

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

From reading Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target the issue is caused by me using a self signed certificate.

If I download the file using command line tool like 'wget' : wget https://writing.kemitchell.com/2016/09/21/MIT-License-Line-by-Line.html the the page downloads successfully.

Is 'wget' using a certificate utilised and updated by the operating system ?

Why can I download using 'wget' but not using JDK ?

Community
  • 1
  • 1
blue-sky
  • 51,962
  • 152
  • 427
  • 752
  • 2
    That site is NOT using a selfsigned cert, it is using a cert signed/issued by **LetsEncrypt** using Identrust which **wasn't in Oracle Java** if you used that until 8u102, see http://stackoverflow.com/questions/34110426/does-java-support-lets-encrypt-certificates . Whatever store `wget` uses on your system (which varies) apparently already has it. – dave_thompson_085 Sep 24 '16 at 07:15
  • @dave_thompson_085 the code posted linked question http://stackoverflow.com/questions/34110426/does-java-support-lets-encrypt-certificates states " need to add the certificate (exported from firefox as .der and put in classpath)" so there not a fully automated method of downloading a file from website ? I've not yet found a site that wget failed to download from so seems wget keeps its store more up to date than java ? – blue-sky Sep 24 '16 at 11:17
  • wget can use several different SSL/TLS implementations which have several different ways of defaulting the truststore which different packages (distros etc) implement differently. We'd need more details about your system to answer about it. It's not too hard to find and trivial to construct sites that use obscure or even bogus CAs that aren't in any major root store (not whichever your wget uses _nor_ Java). For Java ... – dave_thompson_085 Sep 28 '16 at 12:35
  • ... either use Java 8u102 which has the Identrust root, or add it to the cacerts in the JRE you have (no change to programs, but have to repeat when you upgrade Java), or put it in another file and use the `-Djavax.net.ssl.trust*` properties to use it, or code to provide it directly to the TrustManager at runtime. – dave_thompson_085 Sep 28 '16 at 12:37

0 Answers0