SunCertPathBuilderException when using Firebase

Question

I have a Java Rest API running with Jersey on a Glassfish server, and I use Firebase Auth to authenticate my users. So I use the Firebase Admin SDK to verify the token FirebaseAuth.getInstance().verifyIdToken(idToken)

But it throws the following error:

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I initialize my app correctly, by calling:

FirebaseOptions options = new FirebaseOptions.Builder().setCredentials(GoogleCredentials.fromStream(serviceAccountStream)).build();

With serviceAccountStream an InputStream to my service account JSON file.

Edit: I got the same problem with Firebase's auth emulator and other Firebase services such as Firestore, that's weird

check [here](https://stackoverflow.com/a/12146838/14475852). — Chandan, Aug 17 '21 at 17:37
@Chandan I have no self-signed certificate (I did nothing to run on HTTPS), but I tried adding the `Djavax.net.ssl.trustStore` arg. It's better but now I got a `com.google.firebase.auth.FirebaseAuthException: Unknown error while making a remote service call: Connexion refusée (Connection refused)` If I pass an expired token I got a valid message "Firebase ID token has expired. Get a fresh ID token and try again" — Romain Guidoux, Aug 19 '21 at 09:33
@RomainGuidoux , did you try setting this option -Djsse.enableSNIExtension=true , and which version of Java are you using it .? — Usman Azhar, Aug 20 '21 at 03:29
@UsmanAzhar Well, with this option I got an "SSL connect error" in insomnia, but no Java exception (I do not even enter the WS) — Romain Guidoux, Aug 20 '21 at 21:36
Duplicate of ["PKIX path building failed" and "unable to find valid certification path to requested target"](https://stackoverflow.com/questions/21076179/pkix-path-building-failed-and-unable-to-find-valid-certification-path-to-requ) and many others. — user207421, Oct 18 '21 at 00:42
In addition to the suggestion and information provided by @user207421, please, consider review [this SO](https://stackoverflow.com/questions/66868258/sun-security-validator-validatorexception-suncertpathbuilderexception-while-im/66918176#66918176) question as well. Moreover, probably it will not be the case, but the problem may be related as well with the deprecation of some TLS versions in the Java SDK. Please, see this related [SO question](https://stackoverflow.com/questions/68591048/javax-could-not-convert-socket-to-tls/68773865#68773865). — jccampanero, Oct 18 '21 at 17:12
ID token verification requires a project ID.Did you check that? — Sibin Rasiya, Oct 20 '21 at 12:22

score 1 · Answer 1 · edited Oct 18 '21 at 00:40

The problem is coming from the old libraries you use. The following code works fine on SpringBoot 2.5 set up:

    try {
        InputStream serviceAccount credStream = getClass().getResourceAsStream(credsPath);

        FirebaseOptions options = new FirebaseOptions.Builder()
                .setCredentials(GoogleCredentials.fromStream(credStream))
                .setDatabaseUrl(databaseURL)
                .build();
        FirebaseApp.initializeApp(options);
    } catch (Exception e) {
        logger.error(e.getMessage());
    } finally {
        ...
    }

If you cannot upgrade the libraries, you need to add your server certificate into the trustStore. Please, look here for the steps: Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The problem is coming from his truststore. Nothing to do with the age of the code whatsoever. — user207421, Oct 18 '21 at 00:43

Sibin Rasiya · Answer 2 · 2021-10-20T15:37:39.890

Here I listed five pointer, may be helpful for someone.

ID token verification requires a project ID.Did you check that?

For example,

FirebaseOptions options = new FirebaseOptions.Builder().setCredentials(GoogleCredentials.fromStream(serviceAccountStream)).setProjectId("my-project-id").build();

The Firebase Admin SDK attempts to obtain a project ID via one of the following methods:

If the SDK was initialized with an explicit projectId app option, the SDK uses the value of that option.
If the SDK was initialized with service account credentials, the SDK uses the project_id field of the service account JSON object.
If the GOOGLE_CLOUD_PROJECT environment variable is set, the SDK uses its value as the project ID. This environment variable is available for code running on Google infrastructure such as App Engine and Compute Engine.

If your are still facing the issue.Please refer this links

https://github.com/googleapis/google-api-java-client/issues/1114

https://github.com/googleapis/google-auth-library-java#configuring-a-proxy

Could you please check whether your machine is behind corporate proxy.

You can add server certificate into the trustStore.

keytool -import -alias mycertificate -keystore "/Library/Java/JavaVirtualMachines/jdk-15.0.1.jdk/Contents/Home/lib/security/cacerts " -file yourcertificate.cer

password: changeit

SSL Certificate expired SSL peer not authenticated Exception for Firebase real time database

Java Firebase admin compatible with Jersey? Is Java Firebase admin compatible with Jersey?

SunCertPathBuilderException when using Firebase

2 Answers2