1

I would like to connect to a https trusted site on a internal LAN.

I tried with :

    public static void main(String args[]) throws IOException {

    OkHttpClient client = new OkHttpClient();

    RequestBody formBody = new FormBody.Builder()
            .add("user", "password")
            .build();

    Request request = new Request.Builder()
            .url("https://contoso.com")
            .post(formBody)
            .build();

    Response response = client.newCall(request).execute();
    System.out.println(response.code());

But that resulted in PKIX Path Building Error, ValidatorException: unable to find valid certificate path to requested target.

The link above suggested adding:

    System.setProperty("javax.net.ssl.trustStore", "cacerts");
    System.setProperty("javax.net.ssl.trustStorePassword", "password");

But this generates a new error:

javax.net.ssl.SSLException: javalang.RunTimeException: UnexpectedError: java.security.InvalidAlgoritmParameterException: the trustedAnchors parameter must be non empty

I also tried to force using cacerts by executing the fatjar with :

java -jar TestClient.jar -Djava.net.ssl.trustStore="\path\to\cscerts\in\java\lib\security\cacerts"

But I still eventually get `the trustAnchors parameter must be non empty'

If I try with https://www.google.com - it works fine. Java is also being set to use the network proxy.

How can I fix this error to make a connection to this site?

Al Grant
  • 2,102
  • 1
  • 26
  • 49
  • Does this answer your question? [Error - trustAnchors parameter must be non-empty](https://stackoverflow.com/questions/6784463/error-trustanchors-parameter-must-be-non-empty) – Gokul Nath KP Jun 30 '21 at 03:25
  • No - that just tells me it is not found - and I have tried to pass the cacerts in the jar and on the command line. – Al Grant Jun 30 '21 at 03:28
  • No - that kind tells what the error is but not how to fix it. I have listed above some ways I tried to fix it. – Al Grant Jun 30 '21 at 06:49

1 Answers1

3

When you say "trusted site on internal LAN" it seems you're talking about a cooperate environment?! These environments are most likely managed. So for example a company issues a root certificate or a ca and distributes it to your system trust store.

Java has it's own trust store and it's most likely not managed. So in order to trust your internal website you have several options.

  1. Use your systems trust store. When you're on windows you can set a system property -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT
  2. Add the root certificate of your internal service to your java trust store.
  3. Create a new trust store just with that certificate.
  4. Do not verify the certificate and trust everything.

It depends a little bit of the purpose of your application and where it should run which option to choose.

asbachb
  • 543
  • 3
  • 17
  • That sounds about right - it is a corporate environment. Can I trust everything in *.contoso.com. How? – Al Grant Jun 30 '21 at 06:56
  • You could implement an own `TrustManager` (e.g. like https://stackoverflow.com/questions/25509296/trusting-all-certificates-with-okhttp). But you validate the certificate not the host. You could check which host the cert presents, but you'll win nothing as anyone could issue an untrusted cert presenting that host. So the base question is: Do you want to ensure the https connection is valid or not. If yes (which I'd encourage you) do 1. 2. or 3. if no do 4. – asbachb Jun 30 '21 at 07:25
  • For 2. do I follow this technique : https://medium.com/expedia-group-tech/how-to-import-public-certificates-into-javas-truststore-from-a-browser-a35e49a806dc ? – Al Grant Jun 30 '21 at 08:42
  • Worked perfectly with Windows-ROOT – Al Grant Jul 01 '21 at 07:26