CXF:PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Question

I built a CXF client to invoke a SOAP web service. I imported the server's certificates into my cacerts trust store (I understand that CXF uses cacerts by default) and i used the following code to implement the call. However, the following error is generated:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

QName serviceQName = new QName("Namespace", "ServiceName");
String urlString = "https:endpoint?wsdl";
QName portQName = new QName("Namespace", "PortName");

service = Service.create(serviceQName);
service.addPort(portQName, SOAPBinding.SOAP11HTTP_BINDING, urlString);
Dispatch<Source> sourceDispatch = service.createDispatch(portQName, Source.class, Service.Mode.PAYLOAD);
BindingProvider bindingProvider = sourceDispatch;
bindingProvider.getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, urlString);
Source result = sourceDispatch.invoke(new StreamSource(exchange.getIn().getBody(InputStream.class)));

score 1 · Answer 1 · answered Jan 04 '22 at 08:20

1

You need to import certificates to the keystore. This answer is a common solution.

"PKIX path building failed" and "unable to find valid certification path to requested target"

Also try adding keystore and truststore paths and passwords to VM options.

-Djavax.net.ssl.keyStore=C:\...\keystore.jks
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=C:\..\truststore.jks
-Djavax.net.ssl.trustStorePassword=password
-Djavax.net.ssl.type=JKS

answered Jan 04 '22 at 08:20

Borna R.

11
2

I have already imported the certificates to the cacerts truststore, which is the default java and CXF trust store. – StudentOfTheGame Jan 04 '22 at 08:44

score 0 · Accepted Answer · answered Jan 04 '22 at 15:50

The error was actually a CXF one and not a certificate one. Specifically, the Binding Provider actually ignores JAXWS properties and i had to pass the SSL context as shown below:

SSLContext sc = "your custom SSL Context"
TLSClientParameters tlsParams = new TLSClientParameters();
tlsParams.setUseHttpsURLConnectionDefaultSslSocketFactory(false);
tlsParams.setSSLSocketFactory(sc.getSocketFactory());

CXF:PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

2 Answers2