Sun CertPathBuilderException: unable to find valid certification path to requested target

Question

I try to get a test running that tests running. As soon as i switch on SSL, i run into the "unable to find valid certification path" error that is pretty common. My certificate setup is like this: Test Root CA -> Test Sub CA -> Test Server -> Test Client

So both server and client cert are signed by the Sub CA. I tried to setup my client and server keystore:

Client-Keystore:

• Client Cert & Key (PKCS12)

Client-Truststore:

• Sub CA Cert
• Root CA Cert

Server-Keystore:

• Server Cert & Key (PKCS12)

I tried to do all variations: Import only client/server cert into keystore, import full CA chain... I always run into that error. I activated SSL debugging in Java, but still this is the last error message i can see.

Could you please help me by taking a look at the log file? I split it into two parts due to space limitations. Log until first error is the first half and shows SSL negotiation and key store handling and shows the first time the certificate path cannot be found. Rest of the log is the rest.

I believe the SSL handshake and certificate validation are ok. When i manually set the truststore like this

URL trustStoreURL = classLoader.getResource("jsse/client-truststore.jks");
System.setProperty("javax.net.ssl.trustStore", trustStoreURL.getFile());
System.setProperty("javax.net.ssl.trustStorePassword", "password");

the validation works and SSL is fine. Both truststores are identical anyway. But what does happen if this is not set? I thought setting this programatically (see below) should be fine, but somehow i get the feeling another truststore is loaded (cacerts) that somehow breaks validation. I would really like to understand what is going on and can understand the SSL handshake in the log. I do not understand why certificate validation fails, though.
Thank you!

Edit: JAVA-Version:

openjdk version "1.8.0_91" OpenJDK Runtime Environment (build 1.8.0_91-8u91-b14-3ubuntu1~16.04.1-b14) OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)

Code to configure SSL Context parameters:

private static SSLContextParameters defineClientSSLContextClientParameters() {

    KeyStoreParameters ksp = new KeyStoreParameters();
    ksp.setResource(Thread.currentThread().getContextClassLoader().getResource("jsse/client-keystore.jks").toString());
    ksp.setPassword(PWD);

    KeyManagersParameters kmp = new KeyManagersParameters();
    kmp.setKeyPassword(PWD);
    kmp.setKeyStore(ksp);

    KeyStoreParameters tsp = new KeyStoreParameters();
    tsp.setResource(Thread.currentThread().getContextClassLoader().getResource("jsse/client-truststore.jks").toString());

    tsp.setPassword(PWD);

    TrustManagersParameters tmp = new TrustManagersParameters();
    tmp.setKeyStore(tsp);

    SSLContextServerParameters scsp = new SSLContextServerParameters();
    //scsp.setClientAuthentication(ClientAuthentication.REQUIRE.name());
    scsp.setClientAuthentication(ClientAuthentication.NONE.name());

    SSLContextParameters sslContextParameters = new SSLContextParameters();
    sslContextParameters.setKeyManagers(kmp);
    sslContextParameters.setTrustManagers(tmp);
    sslContextParameters.setServerParameters(scsp);


    return sslContextParameters;
}

private static SSLContextParameters defineServerSSLContextParameters() {
    KeyStoreParameters ksp = new KeyStoreParameters();
    ksp.setResource(Thread.currentThread().getContextClassLoader().getResource("jsse/server-keystore.jks").toString());
    ksp.setPassword(PWD);

    KeyManagersParameters kmp = new KeyManagersParameters();
    kmp.setKeyPassword(PWD);
    kmp.setKeyStore(ksp);

    KeyStoreParameters tsp = new KeyStoreParameters();
    tsp.setResource(Thread.currentThread().getContextClassLoader().getResource("jsse/server-truststore.jks").toString());
    tsp.setPassword(PWD);

    TrustManagersParameters tmp = new TrustManagersParameters();
    tmp.setKeyStore(tsp);

    SSLContextServerParameters scsp = new SSLContextServerParameters();
    //scsp.setClientAuthentication(ClientAuthentication.REQUIRE.name());
    scsp.setClientAuthentication(ClientAuthentication.NONE.name());

    SSLContextParameters sslContextParameters = new SSLContextParameters();
    sslContextParameters.setKeyManagers(kmp);
    sslContextParameters.setTrustManagers(tmp);
    sslContextParameters.setServerParameters(scsp);


   return sslContextParameters;
}

Code that configures my test route:

@Override
protected RouteBuilder[] createRouteBuilders() throws Exception {
    RouteBuilder[] rbs = new RouteBuilder[2];

    // A consumer
    rbs[0] = new RouteBuilder() {
        public void configure() {

            // Needed to configure TLS on the client side
            WsComponent wsComponent = (WsComponent) context.getComponent("idsclient");
            wsComponent.setSslContextParameters(defineClientSSLContextClientParameters());

            from("direct:input").routeId("foo")
                .log(">>> Message from direct to WebSocket Client : ${body}")
                .to("idsclient://localhost:9292/echo")
                .log(">>> Message from WebSocket Client to server: ${body}");
            }
    };

    // A provider
    rbs[1] = new RouteBuilder() {
        public void configure() {

                // Needed to configure TLS on the server side
                WebsocketComponent websocketComponent = (WebsocketComponent) context.getComponent("idsserver");
                websocketComponent.setSslContextParameters(defineServerSSLContextParameters());

                // This route is set to use TLS, referring to the parameters set above
                from("idsserver:localhost:9292/echo")
                .log(">>> Message from WebSocket Server to mock: ${body}")
                .to("mock:result");
        }
    };
    return rbs;
}

The test cert for the server side looks like this (taken from the log file):

found key for : server
chain [0] = [
[
  Version: V3
  Subject: CN=Test Server, OU=MyDepartment, O=MyCompany, L=Munich, ST=Bavaria, C=DE

  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 19697468346206325338625931027401620685505412743602335229201285324147237256216294710834287613270808792700765169197171367371459991031662084309764776191914171160104989266207613238184784158415975037177065022201531172433794931849866898549526682368884371139417838799836320672154199909478730633522432282118939559532307066108447566990979134741165253612506513491626459651819946324249745973578011579650517987718802720162457248935339641095429277723082345377268006775487733517858798408645354401260091015110745708667097965877142342305591846833532604648462225727819942287641383438004739414038605341137460966856052237012367021734999
  public exponent: 65537
  Validity: [From: Tue Oct 25 09:37:42 CEST 2016,
               To: Thu Oct 25 09:37:42 CEST 2018]
  Issuer: CN=Test SubCA 2016, O=Company, C=DE
  SerialNumber: [    01]

Certificate Extensions: 6
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A5 55 EC 7E AC F0 98 95   EA 58 D7 BF 43 92 2C 65  .U.......X..C.,e
0010: AA A0 32 73                                        ..2s
]
]

[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[3]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  clientAuth
  serverAuth
]

[4]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[5]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: localhost
  DNSName: 127.0.0.1
]

[6]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 7F 45 12 3E F5 17 F8 EF   FF 2F 08 46 25 4B 21 60  .E.>...../.F%K!`
0010: EB FC 1B 4F                                        ...O
]
]

]
  Algorithm: [SHA256withRSA]
  Signature: