Certificate error while getting access token

Question

I'm using the Google API Client Library for Java to retrieve an access token.

Code:

    public static String getAccessToken() throws IOException {
        GoogleCredential googleCredential = GoogleCredential
            .fromStream(new FileInputStream(PATH_JSON_AUTH02))
            .createScoped(Arrays.asList(URL_SCOPE_FCM));
        googleCredential.refreshToken();
        return googleCredential.getAccessToken();
    }

The issue is that the JVM can't find a trusted certificate to make the HTTPS request to Google service. I tried to import all kind of Google's certificate using keytool but still not working.

Exception:

10:03:29,371 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/TesteCertificadoGoogle].[tudo.ApplicationService]] (http--0.0.0.0-8443-2) Servlet.service() for servlet tudo.ApplicationService threw exception: org.jboss.resteasy.spi.UnhandledException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Which certificate should I import?

What is the URL that your application is trying to access ? If you know the URL (maybe **PATH_JSON_AUTH02** ) you can download the certificate using the browser — dj_frunza, Mar 19 '18 at 14:40
The URL is in the Google API code. I think is https://accounts.google.com/o/oauth2/auth. I tried import the certificate from here before, but I will try again. — Bruno Silva, Mar 19 '18 at 14:47
There should be no need for importing the certificate from there. I made a check and the certificate for accessing the URL: **https://accounts.google.com/o/oauth2/auth** is already presented in the Java trust store(cacerts) by default. There has to be another URL for which this error occurs — dj_frunza, Mar 19 '18 at 14:59
@dj_frunza you are right! We were using a custom keystore and not the default(cacerts). As I changed to use the cacerts the request worked!! Thanks for your help. Answer the question so I can mark it as correct. — Bruno Silva, Mar 19 '18 at 15:32
I added this as an answer so that it is easier to be read by anyone else — dj_frunza, Mar 19 '18 at 15:36

score 1 · Accepted Answer · answered Mar 19 '18 at 15:35

1

There should be no need for importing the certificate from there. I made a check and the certificate for accessing the URL: https://accounts.google.com/o/oauth2/auth is already presented in the Java trust store(cacerts) by default. Make sure you are using the default Java trust store(cacerts)

answered Mar 19 '18 at 15:35

dj_frunza

1,553
3
17
28

How can I check which trust store I'm using and how can I change to use the default Java trust store? – DaSch Apr 19 '21 at 12:36
As it can be seen in the following link, there are some JVM options that can be used to specify a different trsust store during JVM startup: https://stackoverflow.com/questions/2642046/is-there-a-way-to-load-a-different-cacerts-than-the-one-specified-in-the-java-ho – dj_frunza Apr 19 '21 at 12:45

Certificate error while getting access token

1 Answers1