1

After updating java version from 1.8.0_231 to 1.8.0_241, I am getting errors related to certificate confiugation.

During spring boot starup I am setting keystore and keystorepass and making a rest call with the help of RestTemplate provided by Spring framework.

After invoking rest service I am getting sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path error.

The same code was working fine with JDK 1.8.0_231. Can any help me what's creating the problem.

I configured keystore and keystorepassowrd as shown below

        System.setProperty("javax.net.ssl.keyStore", environment.getProperty("javax.net.ssl.keyStore"));
        String pswd = null;
        try (BufferedReader br = new BufferedReader(
                new InputStreamReader(new 
        FileInputStream(environment.getProperty("javax.net.ssl.keyStorePassword")), Charset.defaultCharset()))) {
            pswd = br.readLine();
            if (pswd != null) {
                System.setProperty("javax.net.ssl.keyStorePassword", pswd);
            }

        }
Mohanrao Kolisetti
  • 19
  • 1
  • 2
  • 8

3 Answers3

1

If you have Netskope enabled, try killing it in activity monitor and running your CLi command. Netskope steers their your traffic goes through Netskope and your HTTP traffic is attached with Netskope's certificate.

Alex L
  • 108
  • 1
  • 8
0

First check the cacert file in JDK 1.8.0_231/jre/lib/security directory and same in jre directory with the same location also. First try to copy the security files and paste into another version of java with the above mentioned location. It should solve the problem.

PythonLearner
  • 1,416
  • 7
  • 22
0

PKIX path building failed

This means there is a issue about trusting certificates. So the issue is with your trust store. As the problem started after updating your JDK, you were probably using the standard java truststore called 'cacerts'. You can find this in JDK_HOME/jre/lib/security/cacerts.

Copy this file from your old to your new JDK and test if the issue is resolved. The best solution is to then just copy the certificates you need from the old cacerts to the new one, instead of overwriting it. This is because the new cacerts file will hold new certificates from trusted root parties that won't be in the old one.

I suggest using a application with a UI, something like https://keystore-explorer.org/, to do this. It let's you drag and drop or copy paste certificates.

Wesley De Keirsmaeker
  • 1,026
  • 9
  • 29
  • I am using pkcs(.p12) as my keystore and loading this file from file system and setting it to javax.net.ssl.keyStore system property during aplication startup.In this case does it actullay require modifications to JDK_HOME/jre/lib/security/cacerts file. I didn't make any changes to cacerts for the older jdk with which it was working fine. – Mohanrao Kolisetti Mar 05 '20 at 10:51