3

I am getting below Exception

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I have set the SSL certificate in the location

C:\Program Files\AdoptOpenJDK\jdk-11.0.9.11-hotspot\lib\security

keytool -import -keystore cacerts -file C:\Users\test\Desktop\Certificate\oCertificate.cer

But i am getting the above exception while i am hitting the server.

Results i saw I have added the certificate to the Jdk cacerts file but then it worked for two days than again i was getting the same error. I am unable to get it was working i am able to succesfully ping the server than again it is showing the exception.

dhS
  • 3,739
  • 5
  • 26
  • 55

3 Answers3

3

Is the problem you describe that running keytool to import the certificat gives you this error? Please provide the option -trustcacerts and see the documentation about this:

Import a New Trusted Certificate

Before you add the certificate to the keystore, the keytool command verifies it by attempting to construct a chain of trust from that certificate to a self-signed certificate (belonging to a root CA), using trusted certificates that are already available in the keystore.

If the -trustcacerts option was specified, then additional certificates are considered for the chain of trust, namely the certificates in a file named cacerts.

If the keytool command fails to establish a trust path from the certificate to be imported up to a self-signed certificate (either from the keystore or the cacerts file), then the certificate information is printed, and the user is prompted to verify it by comparing the displayed certificate fingerprints with the fingerprints obtained from some other (trusted) source of information, which might be the certificate owner. Be very careful to ensure the certificate is valid before importing it as a trusted certificate. The user then has the option of stopping the import operation. If the -noprompt option is specified, then there is no interaction with the user.

Source: https://docs.oracle.com/en/java/javase/11/tools/keytool.html

Alternatively you may find that keytool is not very user-friendly and you may enjoy other software like: https://keystore-explorer.org/downloads.html more.

Or if the problem is that your (TLS-client, or even TLS-server) software has some certificate issue it might be as jccampanero already suggested that the server might have switched to a different certificate, or for all I know the server may actually be several different servers behind a load-balancer which may not all have the same certificates. (Or maybe you installed some Java update that replaced the default cacerts file?)

In case of problems I highly recommend reading the JSSE-documentation and enabling debug logging with java option -Djavax.net.debug=all or maybe a little less than all like handshake see the Java 11 docs at:

https://docs.oracle.com/en/java/javase/11/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-31B7E142-B874-46E9-8DD0-4E18EC0EB2CF

This shows the exact TrustStore your application uses, the certificate(s) that the server offers during the handshake and a lot of other negotiation stuff that is part of the TLS handshake.

If you prefer full control of who you trust to issue certificates you can configure your own truststore instead of the default that can live outside your Java installation with options like:

java -Djavax.net.ssl.trustStore=samplecacerts \
     -Djavax.net.ssl.trustStorePassword=changeit \
     Application

I trust that studying this debug logging should make it straightforward to resolve the issue, if it doesn't please provide us with some of the relevant logging.

JohannesB
  • 2,214
  • 1
  • 11
  • 18
1

The error you reported indicates that your application is unable to establish a trusted SSL connection with the remote peer, because it is unable to find a valid certification path.

Which seems very strange to me is why it worked a few days ago and now it is not: perhaps the server changes the certificate, or maybe your setup change in some way.

The SSL configuration will be highly dependent on the software you are using to connect with the remote server: it can be different if you are using standard Java classes like URLConnection or HttpURLConnection, or libraries like Apache HttpClient or OkHttp, among others. The difference mainly has to do with if that piece of software uses or not Java Secure Socket Extension (JSSE) under the hood.

Assuming that you are using JSSE, in order to successfully configure your trust relationship, you need to properly configure a TrustManager, and more specifically, an X509TrustManager. From the docs:

The primary responsibility of the TrustManager is to determine whether the presented authentication credentials should be trusted.

Basically you can configure this X509TrustManager in two ways.

On on hand, you can create your own implementation. For example:

// This KeyStore contains the different certificates for your server
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(
  new FileInputStream("/path/to/serverpublic.keystore"),
  "yourserverpublickeystorepassword".toCharArray()
);

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); // SunX509
tmf.init(keyStore);
TrustManager[] trustManagers = tmf.getTrustManagers();

SSLContext sslContext = SSLContext.getInstance("TLS");
// You can configure your client for mutual authentication 
// and/or provide a SecureRandom also if you wish
sslContext.init(null, trustManagers, null);

Please, consider read this SO question for a complete example.

Or, on the other hand, as you are doing, you can configure the standard TrustManagerFactory properly.

As indicated in the above-mentioned documentation, the standard TrustManagerFactory uses the following process to try to find trust material, in the specified order:

  1. First, you can use the javax.net.ssl.trustStore system property to point to the keystone that contains your trusted server certificates when running the application. If the javax.net.ssl.trustStorePassword system property is also defined, then its value is used to check the integrity of the data in the truststore before opening it.
  2. If the javax.net.ssl.trustStore system property was not specified, then:
  • if the file java-home/lib/security/jssecacerts exists, that file is used;
  • if the file java-home/lib/security/cacerts exists, that file is used;
  • if neither of these files exists, then the SSL cipher suite is anonymous, does not perform any authentication, and thus does not need a truststore.

No matter the chosen mechanism used, you must be sure that the keystore contains all the necessary certificates to trust the remote server, not only the SSL certificate, but all the certificates in the certificate chain.

openssl provides an useful command that allows you to obtain all the certificates used in the SSL connection:

openssl s_client -showcerts -connect google.com:443

Of course, modify the domain as appropriate.

It will output different certificates; be sure to save each of them, including —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–, and include them in your keystore.

This handy utility can probably be of help for this purpose as well: as indicated in the project README, it basically will try to connect to the remote peer and save the necessary certificate information. This related article provides more information about the tool.

jccampanero
  • 50,989
  • 3
  • 20
  • 49
  • I recommend against reimplementing: "The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software", see: https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf – JohannesB Apr 06 '21 at 07:41
  • Hi @JohannesB. Thank you very much for the feedback. Please, can you explain further what you mean? In my answer I just tried to provide some hints to help the OP with his/her problem. Some of them are related with the JVM and the underlying security mechanisms it offers, as suggested in your answer in fact as well. I proposed a code based solution too, because some libraries like Apache HttpClient have to deal with it. Of course, I agree with you, the code can be improved in many ways, including hostname verification. You can verify that the certificate is valid at the current date as well – jccampanero Apr 06 '21 at 08:25
  • by checking their after and before dates. You can probably analyze the information provided in the certificate and look for CRL distribution points or OCSP validation endpoints, you can do a lot of things of course. Probably JSSE by itself will perform some checks, but several improvements can be done, of course. The OP does not indicate the software he/she is using, so it is not easy to provide a more accurate answer. Any way, I agree with you, always special care should be taken to avoid possible security problems. – jccampanero Apr 06 '21 at 08:34
  • What I mean is that under normal circumstances it should be entirely possible to resolve the issue without writing a single line of Java code, just by importing the right certificates (usually the self signed root and if the server does not provide them, also the intermediate certificates) into the JSSE truststore. JSSE is used here otherwise the user would never have gotten a JSSE error. The default Java implementation is well tested, documented and understood, but if you write your own custom implementation you open the door for all kinds of security issues. – JohannesB Apr 06 '21 at 09:24
  • I totally agree with you @JohannesB, when dealing with security issues it is always advisable to _not reinvent the wheel_ and use standard configurations if possible. Having said that, please, be aware that as indicated in the answer, the JSSE specification provides guidance about how to implement custom `TrustManager`s if necessary, so certainly the use of the API is a possibility. In any way, the important thing is that any of the answers and proposed solutions be of help to the OP in order to solve the problem. – jccampanero Apr 06 '21 at 10:09
1

As other answers have pointed out the list of things that need to be setup correctly is long and varied depending on which HTTP client you are using, but assuming you have followed the information provided in the other answers, here's what I would check:

  1. Make sure the cert was imported correctly into the cacerts file. This can get get overwritten by software updates, Group Policy (if you are on a windows domain), you accidentally changed JVMs, and so on. Double check the path to the JVM that is in use
  2. Importing a certificate isn't always enough to ensure the trust is correctly setup. The hostname used to access the service must match the imported certificate either by the Common Name (CN), or a Subject Alternate Name (SAN DNS) entry. This first image shows the Common Name from the current google cert. Google Cert CN , the second image shows the SANs: SAN details for google cert The upshot of this is that whatever hostname you are using to access the service (eg test.amazingapp.com) must match either the CN or one of the entries in the SAN field. If you are accessing the service via an IP address, then the IP needs to be in either of these fields.
  3. Finally, ensure the certificate is not expired.

If you've checked all these and it still isn't working, then you will likely need to turn on SSL logging with the system property javax.net.debug as described here on the Oracle JSSE Site, using $ java -Djavax.net.debug=all will give all the information that exists about the handshake. It will take some time to work through but the answer will be there.

stringy05
  • 6,511
  • 32
  • 38