0

I am facing this problem with PKIX path build failuer, this is what I have tried...

  1. I went to the target URL that I am trying to reach

     (eg -> https://localdevchannel.master.info/Gate/CustomerManagement/rest/resources/search)

    I clicked on the "LOCK" icon and exported the certificate.

  2. I ran below command...

    keytool -importcert -file sec.cer -storepass changeit -keystore "C:/Program Files/Java/jdk-11.0.2/jdk-11.0.2/lib/security/cacerts" -alias secCert

  3. The certificate got placed successfully. But I am still facing this issue. Please help what did I do wrong?

    javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
horizon
  • 453
  • 2
  • 12

1 Answers1

1

ok,

You get this exception if your Certificate is expired, or does not exist in your store, or you updated another cacert file, and your java/and/or app is looking/using another.

1- Inspect your cacert file to actually see if the CERT has been added with its alias there.

From inside your JDK/jre/bin , you can find the keytool.exe You can call it like below to read the cacerts file:

susan@SE-00018098 /c/Program Files/Java/jdk1.7.0_80/jre/bin

$ keytool.exe -list -keystore ../lib/security/cacerts
Enter keystore password:
Keystore type: jks
Keystore provider: SUN

Your keystore contains 92 entries

digicertassuredidrootca, 2008-apr-16, trustedCertEntry,
Certificate fingerprint (SHA1): 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43
trustcenterclass2caii, 2008-apr-29, trustedCertEntry,
Certificate fingerprint (SHA1): AE:50:83:ED:7C:F4:5C:BC:8F:61:C6:21:FE:68:5D:79:42:21:15:6E
thawtepremiumserverca, 2009-dec-11, trustedCertEntry,
Certificate fingerprint (SHA1): E0:AB:05:94:20:72:54:93:05:60:62:02:36:70:F7:CD:2E:FC:66:66
swisssignplatinumg2ca, 2008-okt-31, trustedCertEntry,

2- If it is, is it expired? Check the date.

3- Confirm whether your app/java runtime is using the cacert file you just updated (Do you have multiple Java versions installed? What is your (Java_home)

======== Edited

If the certificate exists, and it is not expired, and you are 100% sure it is the right certificate, then probably your application/or container is not looking at the cacert file.

Try the hack below: I consider this as a hack, as you are hardcoding a path that may/not exist when you deploy on a different server.

There are many ways of create your own truststore and keystore stores and having those in the app itself, then you can incorporate them in your code, but try it to just see if the rest of the code works.

Set the system property before your https connection code:

System.setProperty("javax.net.ssl.trustStore", "java_home_path/jre/lib/security/cacerts");

Replace with the correct path to cacerts file and try.

JCompetence
  • 6,997
  • 3
  • 19
  • 26
  • Helpful stackover flow https://stackoverflow.com/questions/9619030/resolving-javax-net-ssl-sslhandshakeexception-sun-security-validator-validatore – JCompetence Dec 01 '20 at 14:48
  • I have a Java_home : with path to jdk11 bin. (Hence no occurance of multiple java version) – horizon Dec 01 '20 at 17:03
  • I tried to open cacert file, not sure why the command was not working. keystore "path" -list was not working. – horizon Dec 01 '20 at 17:03
  • @horizon, I updated the answer. Password is changeit – JCompetence Dec 01 '20 at 18:10
  • I will try this tomorrow, and keeo you posted. Did you face anything like this? Just curious? – horizon Dec 01 '20 at 21:57
  • yes @horizon at work, everytime a certificate gets expired mostly :) – JCompetence Dec 02 '20 at 08:12
  • Hello @Susan, I check the keystore, I have entry of cert ---->>> seccert, Dec 1, 2020, trustedCertEntry, Certificate fingerprint (SHA-256): D8:12:E9:D8:C5:8A:70:8C:0E:B0:5B:77:AA:A7:B4:CD:4A:80:4B:52:69:97:0B:FB:C2:D7:F3:77:92:B2:1E:F8 – horizon Dec 02 '20 at 09:12
  • The way how I generated this cer file is that correct? See ultimately I have to reach a URL, where I will send a POST req, so I opened it on my chrome browser and exported the cer using the LOCK icon. – horizon Dec 02 '20 at 09:25
  • Then in this case if you can see the cert is there and is not expired, I suggest you show some code/or explain how your app is doing the https connections towards this website? @horizon – JCompetence Dec 02 '20 at 09:41
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/225415/discussion-between-susan-mustafa-and-horizon). – JCompetence Dec 02 '20 at 14:31