0

I have three tomcats running on my system, each tomcat server deploying an individual war file. I'm trying for the communication between these servers in https.

I have used the same certificate for all the three services since they are on the same machine. The first two servers run fine.

But my last tomcat server throws the following error on server startup : 

com.sun.xml.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:131)
at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:219)
at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:143)
at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:110)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:961)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:775)
at com.sun.xml.ws.client.Stub.process(Stub.java:429)
at com.sun.xml.ws.client.dispatch.DispatchImpl.doInvoke(DispatchImpl.java:259)
at com.sun.xml.ws.client.dispatch.DispatchImpl.invoke(DispatchImpl.java:296)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:259)
at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:119)
... 16 more
Nicholas DiPiazza
  • 10,029
  • 11
  • 83
  • 152
Togo
  • 1
  • 1
  • duplicate with https://stackoverflow.com/questions/4062307/pkix-path-building-failed-unable-to-find-valid-certification-path-to-requested – Bejond Apr 13 '18 at 17:01
  • It's probably worth pointing out that this is a client error, not a server error. That means no amount of tinkering with `conf/server.xml` and Tomcat's TLS configuration will fix this issue for you. The problem is the trust store being used by these outgoing configurations. See the duplicate-question reference provided by @bejond for more information. – Christopher Schultz Apr 15 '18 at 21:18

1 Answers1

0

The error indicate that you don't have your certificate in jdk/jre/lib/secusrity/cacerts file,

Follow this steps, Hope this will helpful to you.

1.Fire command keytool -list -v -keystore jdk/jre/lib/secusrity/cacerts > java_cacerts.txt

all cacerts certificate will be exported in java_cacerts.txt file

2.Take a look at java_cacerts.txt. See if it includes the same certificate that is present in the browser by searching for a matching serial number. In the java_cacerts.txt file, the serial number will be in lowercase and without the ":" colon character. If it is not present, then this could be the reason for the error, and we can fix this by adding the certificate found in the browser.

3.Back in the browser, export the Root CA. Choose the "X.509 Certificate (DER)" type, so the exported file has a der extension.

Assuming the file is called example.der, pick the alias 'example' for this certificate. Next import the file.

4.keytool -import -alias example -keystore jdk/jre/lib/secusrity/cacerts -file example.der

This command prompt you password , default password is changeit

5.Dump the contents again to verify it contains your new certificate. Restart the JVM.

6.Also check whether the certifiace in cacerts file matches with your keystore file

Abhijeet Kale
  • 379
  • 3
  • 13