0

I'm trying to call an api using RestTemplte from service on server A and the other service on server B and i get the error below : 

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Even when i added this configuration (code below) into the rest template still the same problem.

SSLContext sslContext = new SSLContextBuilder()
                .loadTrustMaterial(new File(keystore), trustStorePassword.toCharArray())
                .build();
        SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext);
        HttpClient httpClient = HttpClients.custom()
                .setSSLSocketFactory(socketFactory)
                .build();
        HttpComponentsClientHttpRequestFactory factory =
                new HttpComponentsClientHttpRequestFactory(httpClient);
        RestTemplate restTemplate = new RestTemplate(factory);

the solution that i found on the net is to export certificate from chrome and add it to the JVM trusted certificate. I don't know if this is the right solution becouse we can change this certif evry 3 month for example..

And i have some other questions :

  • Does JVM knows all certificate authority (i think there are billion..) for example when i call google using rest certificate will be validated by JVM using "security/cacerts"?

  • Should I add our certificate in JVM trusted certifies to fix sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target?

  • The validation process is not automatic by SSL mechanism ?

thank you in advance.

M-BNCH
  • 393
  • 1
  • 3
  • 18

2 Answers2

0

As you found out yourself, the jvm is currently not trusting the certificate of your remote server. To solve this you must configure your trust store to trust that remote server.

You could indeed add the direct certificate of the remote server, this should solve your issue.

But as you stated that certificate might be short-lived. You should instead add the certificate from your certificate authorities. This should be available in the key chain presented in chrome.

Unfortunately if you are using a self-sign certificate, there is no certificate authorities and only the first solution would be available.

Jonatan Cloutier
  • 899
  • 9
  • 26
0

The validation process is fully automatic, and it rejects your certificate because it knows nothing about it. It is untrusted.

You have two options:

  1. Trust all certificates.
  2. Add the server certificate to the trusted keystore.

Trust all certificates See "Option 2" here

Add the server certificate to the trusted keystore. Download the certificate:

openssl s_client -connect SERVER_URL:SERVER_PORT 2>/dev/null </dev/null | \
    sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > server.pem

Add the certficate to some keystore

keytool -import -alias your-server-name -file server.pem -keystore certs.jks -keypass CERT_PASSWORD -storepass STORE_PASSWORD

Here:

  • your-server-name - give the name to the certificate in the keystore
  • certs.jks - path to the keystore
  • CERT_PASSWORD - define password to access the certificate and
  • STORE_PASSWORD - password to access the keystore
Pak Uula
  • 2,750
  • 1
  • 8
  • 13