1

we are working with Google's recaptch and after importing the corresponding certificate(using java application), we still have the error:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

We are using JDK_1.7.51 and Tomcat8.

We listed the certificates and can see that the certificate is present and valid, even this we still have the exception mentioned before:

Alias name: google.com Creation date: 7-aug-2017 Entry type: trustedCertEntry

Owner: CN=www.google.com, O=Google Inc, L=Mountain View, ST=California, C=US Issuer: C=DE, CN=AXA-DE-Proxy-Issuing-CA17, OU=IF-NDSG, O=AXA Technology Services Germany GmbH Serial number: d21265bf38c9faf8d615fbbf840aaa1fc6959dc5bbff60a48f77e355fa2eac07bccb6c6d

Valid from: Wed Jul 12 14:25:22 CEST 2017 until: Wed Oct 04 13:57:00 CEST 2017

Certificate fingerprints: MD5: 52:73:92:40:38:DF:AB:2B:ED:5B:19:10:00:1D:57:7C SHA1: 76:F8:DC:99:CD:07:F8:81:4F:E5:48:C3:F4:4F:71:46:24:CE:F3:54 SHA256: 9B:72:1F:69:85:4C:AD:20:39:16:D4:7A:12:62:0D:8B:03:EC:8B:2F:E8:FD:40:FA:2E:D2:0E:F3:6A:1F:34:59 Signature algorithm name: SHA256withRSA Version: 3

Could someone help me, please?

DevDio
  • 1,525
  • 1
  • 18
  • 26
Developer
  • 211
  • 4
  • 10
  • Where are you checking? Is it the Tomcat keystore set for SSL or in the JAVA 1.7 keystore? The java 1.7 update seems quite old try ypdating the java version. – Juan Sep 04 '17 at 13:02

1 Answers1

1

Your client sits behind a firewall and does HTTPS-requests through a proxy that is dynamically generating SSL-certificates for the sites being contacted in order to eavsdrop on the data being exchanged. You can see that by the issuer of the "Google-certificate" you're checking:

Issuer: C=DE, CN=AXA-DE-Proxy-Issuing-CA17, OU=IF-NDSG, O=AXA Technology Services Germany

Java has its own root-CA-keystore where standard certificate checks are looking for trusted root CAs and your eavsdropper's root certificate is obviously missing there.

To get rid off this error and let the java client falsely assume that the certificate is signed by a trusted CA, you need to add the CAs root certificate to the root keystore of Java. Another solution is to establish the SSL-connection using your own TrustManager. You do that by using your own SSLContext where you set trust- and keymanagers yourself.

The former needs to be done with every Java installation, the latter works within in the application.

Lothar
  • 5,323
  • 1
  • 11
  • 27
  • Thanks, exactly we had an intermediate certificate generated by the Proxy that was not added to trusted certificates, after adding it, it works. – Developer Sep 08 '17 at 06:50