2

I'm trying to mock okta(using okta-jwt-helper - v0.5.0), here I need url to be like https://someUrl.com, thus I'm using karate-netty FeatureServer with ssl true. This is how I'm starting server and stopping server in @BeforeClass & @AfterClass respectively, in runner,

private static FeatureServer oktaServer;
oktaServer = FeatureServer.start(oktaMockFile, 3010, true, null);
oktaServer.stop();

Server is started and cert.pem and key.pem files are generated in target folder. But when I'm trying to reach https://localhost:3010/somePath , I'm getting this error

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I tried using both karate 0.9.3 & 0.9.6 and I'm using java8, jdk1.8.0_261.jdk and maven3.

Solution already tried:

  1. I tried adding adding cert.pem to keytool but that didn't help as certificates would be replaced and generated by karate after every mvn clean install.
  2. I tried adding local_policy.jar and US_export_policy.jar to $JAVA_HOME/jre/lib/security/ but that too didn't help.
  3. I also tried adding http-client and http-core dependencies as suggested to avoid dependency conflicts.

Can someone help me out what am I doing wrong or may is there any setup required to be done to use FeatureServer with ssl boolean true?

Ipuvi Mishra
  • 21
  • 2
  • if still stuck, follow this process, and make sure you use 1.0.0, we won't support the old versions anymore: https://github.com/intuit/karate/wiki/How-to-Submit-an-Issue – Peter Thomas Mar 17 '21 at 10:53

1 Answers1

0

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

As per the above exception, server identity is not getting validated by the client. It happens when you don't have the server root and intermediates certificates in the underlying client's truststore which going to be used in order to verify the server identity.

Following is the case when your program is using the java truststore. By default, java use the cacerts truststore which can be usually found on JAVA_HOME/jre/lib/security/cacerts this path on windows OS.

The default password to access that truststore is changeit. Get the root and intermediates certificates and add them into the store by using utilities such as keytool.

b.s
  • 2,409
  • 2
  • 16
  • 26
  • Or.. the root is already in the trust store, but the server doesn't provide the full certificate chain (with the intermediate & root) - which doesn't allow the client to figure out which root to look up in the trust store. – Stanislav Bashkyrtsev Mar 17 '21 at 10:05
  • Is that required when the server is created using karate FeatureServer as well with ssl boolean as true, because even if I add certificates to `truststores`, a new built-in self-signed certificate (`cert.pem` & `key.pem`) would be created every-time with `mvn clean install`. I have tried adding to cacerts already but that didn't help, as mentioned. – Ipuvi Mishra Mar 17 '21 at 10:30