How can we debug an SSL error more precisely?

Question

I have a problem with using ssl in WLP at a customers project. And we try to find the problem.

The story so far:

I am using HTTPClient 5.1, jsse-1.2 is in classhpath, transportSecurity-1.0 is active in the wlp feature manager, the truststore and keystore options are both set in the server.xml.

The CloseableHttpClient is currently built like:

private void buildClient() throws MalformedURLException {

  try {
      URL aURL = new URL(BASE_URL);
    String host = aURL.getAuthority();

    SSLContext ctx = SSLContexts.createDefault();

        final SSLConnectionSocketFactory sslSocketFactory = SSLConnectionSocketFactoryBuilder.create()
                .setSslContext(ctx)
                .setTlsVersions(TLS.V_1_2)
                .build();

        final BasicCredentialsProvider credsProvider = new BasicCredentialsProvider();
        credsProvider.setCredentials(
                new AuthScope(host, 443),
                new UsernamePasswordCredentials(USER, PASSWORD.toCharArray()));
        
  
        final HttpClientConnectionManager cm = PoolingHttpClientConnectionManagerBuilder.create()
            .setSSLSocketFactory(sslSocketFactory)
                .build();           

        
    httpClient = HttpClients.custom()
                .setConnectionManager(cm)
                .setDefaultCredentialsProvider(credsProvider)
                .build();
  } catch (MalformedURLException e) {
    throw new MalformedURLException(BASE_URL);
  }
}

And the logging looks like this:

[2022-02-15T16:21:39] [DEBUG] [Default Executor-thread-7] client5.http.impl.classic.InternalHttpClient:164 - ex-0000000001 preparing request execution
[2022-02-15T16:21:39] [DEBUG] [Default Executor-thread-7] hc.client5.http.protocol.RequestAddCookies:122 - ex-0000000001 Cookie spec selected: strict
[2022-02-15T16:21:39] [DEBUG] [Default Executor-thread-7] hc.client5.http.protocol.RequestAuthCache:78 - ex-0000000001 Auth cache not set in the context
[2022-02-15T16:21:39] [DEBUG] [Default Executor-thread-7] client5.http.impl.classic.ProtocolExec:164 - ex-0000000001 target auth state: UNCHALLENGED
[2022-02-15T16:21:39] [DEBUG] [Default Executor-thread-7] client5.http.impl.classic.ProtocolExec:170 - ex-0000000001 proxy auth state: UNCHALLENGED
[2022-02-15T16:21:39] [DEBUG] [Default Executor-thread-7] client5.http.impl.classic.ConnectExec:117 - ex-0000000001 acquiring connection with route {s}->https://test.doesnt.matter:443
[2022-02-15T16:21:39] [DEBUG] [Default Executor-thread-7] client5.http.impl.classic.InternalHttpClient:101 - ex-0000000001 acquiring endpoint (3 MINUTES)
[2022-02-15T16:21:39] [DEBUG] [Default Executor-thread-7] client5.http.impl.io.PoolingHttpClientConnectionManager:255 - ex-0000000001 endpoint lease request (3 MINUTES) [route: {s}->https://test.doesnt.matter:443][total available: 0; route allocated: 0 of 5; total allocated: 0 of 25]
[2022-02-15T16:21:39] [DEBUG] [Default Executor-thread-7] client5.http.impl.io.PoolingHttpClientConnectionManager:277 - ex-0000000001 endpoint leased [route: {s}->https://test.doesnt.matter:443][total available: 0; route allocated: 1 of 5; total allocated: 1 of 25]
[2022-02-15T16:21:39] [DEBUG] [Default Executor-thread-7] client5.http.impl.io.PoolingHttpClientConnectionManager:307 - ex-0000000001 acquired ep-0000000000
[2022-02-15T16:21:39] [DEBUG] [Default Executor-thread-7] client5.http.impl.classic.InternalHttpClient:116 - ex-0000000001 acquired endpoint ep-0000000000
[2022-02-15T16:21:39] [DEBUG] [Default Executor-thread-7] client5.http.impl.classic.ConnectExec:124 - ex-0000000001 opening connection {s}->https://test.doesnt.matter:443
[2022-02-15T16:21:39] [DEBUG] [Default Executor-thread-7] client5.http.impl.classic.InternalHttpClient:156 - ep-0000000000 connecting endpoint (3 MINUTES)
[2022-02-15T16:21:39] [DEBUG] [Default Executor-thread-7] client5.http.impl.io.PoolingHttpClientConnectionManager:392 - ep-0000000000 connecting endpoint to https://test.doesnt.matter:443 (3 MINUTES)
[2022-02-15T16:21:39] [DEBUG] [Default Executor-thread-7] client5.http.impl.io.DefaultHttpClientConnectionOperator:145 - http-outgoing-0 connecting to test.doesnt.matter/4.XXX.XXX.16:443
[2022-02-15T16:21:39] [DEBUG] [Default Executor-thread-7] hc.client5.http.ssl.SSLConnectionSocketFactory:211 - Connecting socket to test.doesnt.matter/4.XXX.XXX.16:443 with timeout 3 MINUTES
[2022-02-15T16:21:39] [DEBUG] [Default Executor-thread-7] hc.client5.http.ssl.SSLConnectionSocketFactory:267 - Enabled protocols: [TLSv1.2]
[2022-02-15T16:21:39] [DEBUG] [Default Executor-thread-7] hc.client5.http.ssl.SSLConnectionSocketFactory:268 - Enabled cipher suites: [SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384, SSL_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
[2022-02-15T16:21:39] [DEBUG] [Default Executor-thread-7] hc.client5.http.ssl.SSLConnectionSocketFactory:272 - Starting handshake
[2022-02-15T16:21:39] [DEBUG] [Default Executor-thread-7] client5.http.impl.io.DefaultManagedHttpClientConnection:174 - http-outgoing-0 close connection IMMEDIATE
[2022-02-15T16:21:39] [DEBUG] [Default Executor-thread-7] client5.http.impl.classic.InternalHttpClient:236 - ep-0000000000 endpoint closed
[2022-02-15T16:21:39] [DEBUG] [Default Executor-thread-7] client5.http.impl.classic.InternalHttpClient:240 - ep-0000000000 discarding endpoint
[2022-02-15T16:21:39] [DEBUG] [Default Executor-thread-7] client5.http.impl.io.PoolingHttpClientConnectionManager:336 - ep-0000000000 releasing endpoint
[2022-02-15T16:21:39] [DEBUG] [Default Executor-thread-7] client5.http.impl.io.PoolingHttpClientConnectionManager:359 - ep-0000000000 connection is not kept alive
[2022-02-15T16:21:39] [DEBUG] [Default Executor-thread-7] client5.http.impl.io.PoolingHttpClientConnectionManager:368 - ep-0000000000 connection released [route: {s}->https://test.doesnt.matter:443][total available: 0; route allocated: 0 of 5; total allocated: 0 of 25]

Then we get the sslException:

[2022-02-15T16:21:39] [ERROR] [Default Executor-thread-7] main.java.refSystems.fiservice.FiServiceClient:202 - SSL-Fehler: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target
    at com.ibm.jsse2.g.a(g.java:58) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.ba.a(ba.java:38) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.ba.a(ba.java:101) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.ba.a(ba.java:62) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.y$c.a(y$c.java:166) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.A$c.consume(A$c.java:2) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.p.consume(p.java:43) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.Z.a(Z.java:73) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.Z.a(Z.java:245) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.ba.a(ba.java:116) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.aZ.a(aZ.java:36) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.bi.b(bi.java:219) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.bi.f(bi.java:317) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.bi.a(bi.java:218) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.bi.startHandshake(bi.java:212) ~[?:8.0 build_20201204--193]
    at org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:273) ~[httpclient5-5.1.2.jar:5.1.2]
    at org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:241) ~[httpclient5-5.1.2.jar:5.1.2]
    at org.apache.hc.client5.http.impl.io.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:148) ~[httpclient5-5.1.2.jar:5.1.2]
    at org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:396) ~[httpclient5-5.1.2.jar:5.1.2]
    at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:158) ~[httpclient5-5.1.2.jar:5.1.2]
    at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:168) ~[httpclient5-5.1.2.jar:5.1.2]
    at org.apache.hc.client5.http.impl.classic.ConnectExec.execute(ConnectExec.java:136) ~[httpclient5-5.1.2.jar:5.1.2]
    at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[httpclient5-5.1.2.jar:5.1.2]
    at org.apache.hc.client5.http.impl.classic.ExecChainElement$1.proceed(ExecChainElement.java:57) ~[httpclient5-5.1.2.jar:5.1.2]
    at org.apache.hc.client5.http.impl.classic.ProtocolExec.execute(ProtocolExec.java:175) ~[httpclient5-5.1.2.jar:5.1.2]
    at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[httpclient5-5.1.2.jar:5.1.2]
    at org.apache.hc.client5.http.impl.classic.ExecChainElement$1.proceed(ExecChainElement.java:57) ~[httpclient5-5.1.2.jar:5.1.2]
    at org.apache.hc.client5.http.impl.classic.HttpRequestRetryExec.execute(HttpRequestRetryExec.java:96) ~[httpclient5-5.1.2.jar:5.1.2]
    at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[httpclient5-5.1.2.jar:5.1.2]
    at org.apache.hc.client5.http.impl.classic.ExecChainElement$1.proceed(ExecChainElement.java:57) ~[httpclient5-5.1.2.jar:5.1.2]
    at org.apache.hc.client5.http.impl.classic.ContentCompressionExec.execute(ContentCompressionExec.java:133) ~[httpclient5-5.1.2.jar:5.1.2]
    at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[httpclient5-5.1.2.jar:5.1.2]
    at org.apache.hc.client5.http.impl.classic.ExecChainElement$1.proceed(ExecChainElement.java:57) ~[httpclient5-5.1.2.jar:5.1.2]
    at org.apache.hc.client5.http.impl.classic.RedirectExec.execute(RedirectExec.java:115) ~[httpclient5-5.1.2.jar:5.1.2]
    at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[httpclient5-5.1.2.jar:5.1.2]
    at org.apache.hc.client5.http.impl.classic.InternalHttpClient.doExecute(InternalHttpClient.java:170) ~[httpclient5-5.1.2.jar:5.1.2]
    at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:75) ~[httpclient5-5.1.2.jar:5.1.2]
    at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:89) ~[httpclient5-5.1.2.jar:5.1.2]
    at main.java.refSystems.fiservice.FiServiceClient.sendRequest(FiServiceClient.java:187) [classes/:?]
    at main.java.refSystems.fiservice.FiServiceClient.isAvailable(FiServiceClient.java:146) [classes/:?]
    at main.java.refSystems.fiservice.FiServiceFunctions.isAvailable(FiServiceFunctions.java:99) [classes/:?]
    at main.java.atc.definitions.ReferenceSystem.isAvailable(ReferenceSystem.java:78) [classes/:?]
    at main.java.timer.AvailableInterface.isAvailable(AvailableInterface.java:66) [classes/:?]
    at main.java.timer.AvailableInterface.checkAllSystems(AvailableInterface.java:39) [classes/:?]
    at main.java.handler.StatusHandler.refreshParameter(StatusHandler.java:32) [classes/:?]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90) ~[?:1.8.0]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55) ~[?:1.8.0]
    at java.lang.reflect.Method.invoke(Method.java:508) ~[?:1.8.0]
    at org.apache.el.parser.AstValue.invoke(AstValue.java:245) [com.ibm.ws.org.apache.jasper.el.3.0_3.0.47.jar:?]
    at org.apache.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:267) [com.ibm.ws.org.apache.jasper.el.3.0_3.0.47.jar:?]
    at org.apache.myfaces.view.facelets.el.ContextAwareTagMethodExpression.invoke(ContextAwareTagMethodExpression.java:96) [com.ibm.ws.org.apache.myfaces.2.3_1.0.47.jar:2.3.6]
    at javax.faces.event.MethodExpressionActionListener.processAction(MethodExpressionActionListener.java:83) [com.ibm.websphere.javaee.jsf.2.3_1.0.47.jar:?]
    at javax.faces.event.ActionEvent.processListener(ActionEvent.java:58) [com.ibm.websphere.javaee.jsf.2.3_1.0.47.jar:?]
    at javax.faces.component.UIComponentBase.broadcast(UIComponentBase.java:429) [com.ibm.websphere.javaee.jsf.2.3_1.0.47.jar:?]
    at javax.faces.component.UICommand.broadcast(UICommand.java:103) [com.ibm.websphere.javaee.jsf.2.3_1.0.47.jar:?]
    at javax.faces.component.UIViewRoot._broadcastAll(UIViewRoot.java:1255) [com.ibm.websphere.javaee.jsf.2.3_1.0.47.jar:?]
    at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:420) [com.ibm.websphere.javaee.jsf.2.3_1.0.47.jar:?]
    at javax.faces.component.UIViewRoot._process(UIViewRoot.java:1741) [com.ibm.websphere.javaee.jsf.2.3_1.0.47.jar:?]
    at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:935) [com.ibm.websphere.javaee.jsf.2.3_1.0.47.jar:?]
    at org.apache.myfaces.lifecycle.InvokeApplicationExecutor.execute(InvokeApplicationExecutor.java:42) [com.ibm.ws.org.apache.myfaces.2.3_1.0.47.jar:2.3.6]
    at org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:195) [com.ibm.ws.org.apache.myfaces.2.3_1.0.47.jar:2.3.6]
    at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:142) [com.ibm.ws.org.apache.myfaces.2.3_1.0.47.jar:2.3.6]
    at javax.faces.webapp.FacesServlet.service(FacesServlet.java:204) [com.ibm.websphere.javaee.jsf.2.3_1.0.47.jar:?]
    at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1230) [com.ibm.ws.webcontainer_1.1.47.jar:?]
    at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:729) [com.ibm.ws.webcontainer_1.1.47.jar:?]
    at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:426) [com.ibm.ws.webcontainer_1.1.47.jar:?]
    at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1226) [com.ibm.ws.webcontainer_1.1.47.jar:?]
    at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1010) [com.ibm.ws.webcontainer_1.1.47.jar:?]
    at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:75) [com.ibm.ws.webcontainer_1.1.47.jar:?]
    at com.ibm.ws.webcontainer40.servlet.CacheServletWrapper40.handleRequest(CacheServletWrapper40.java:83) [com.ibm.ws.webcontainer.servlet.4.0_1.0.47.jar:?]
    at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:936) [com.ibm.ws.webcontainer_1.1.47.jar:?]
    at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:279) [com.ibm.ws.webcontainer_1.1.47.jar:?]
    at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:1141) [com.ibm.ws.transport.http_1.0.47.jar:?]
    at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.wrapHandlerAndExecute(HttpDispatcherLink.java:422) [com.ibm.ws.transport.http_1.0.47.jar:?]
    at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.ready(HttpDispatcherLink.java:381) [com.ibm.ws.transport.http_1.0.47.jar:?]
    at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:565) [com.ibm.ws.transport.http_1.0.47.jar:?]
    at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleNewRequest(HttpInboundLink.java:499) [com.ibm.ws.transport.http_1.0.47.jar:?]
    at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.processRequest(HttpInboundLink.java:359) [com.ibm.ws.transport.http_1.0.47.jar:?]
    at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.ready(HttpInboundLink.java:326) [com.ibm.ws.transport.http_1.0.47.jar:?]
    at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:167) [com.ibm.ws.channelfw_1.0.47.jar:?]
    at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:75) [com.ibm.ws.channelfw_1.0.47.jar:?]
    at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:504) [com.ibm.ws.channelfw_1.0.47.jar:?]
    at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:574) [com.ibm.ws.channelfw_1.0.47.jar:?]
    at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:958) [com.ibm.ws.channelfw_1.0.47.jar:?]
    at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1047) [com.ibm.ws.channelfw_1.0.47.jar:?]
    at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:239) [com.ibm.ws.threading_1.1.47.jar:?]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160) [?:1.8.0]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:1.8.0]
    at java.lang.Thread.run(Thread.java:822) [?:2.9 (03-19-2021)]
Caused by: com.ibm.jsse2.util.j: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target
    at com.ibm.jsse2.util.h.a(h.java:120) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.util.h.b(h.java:5) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.util.g.a(g.java:10) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.bq.a(bq.java:32) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.bq.a(bq.java:26) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.bq.checkServerTrusted(bq.java:171) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.y$c.a(y$c.java:97) ~[?:8.0 build_20201204--193]
    ... 85 more
Caused by: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target
    at com.ibm.security.cert.SunCertPathBuilder.build(SunCertPathBuilder.java:139) ~[?:8.0 build_20200819-68]
    at com.ibm.security.cert.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:124) ~[?:8.0 build_20200819-68]
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:292) ~[?:?]
    at com.ibm.jsse2.util.h.a(h.java:124) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.util.h.b(h.java:5) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.util.g.a(g.java:10) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.bq.a(bq.java:32) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.bq.a(bq.java:26) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.bq.checkServerTrusted(bq.java:171) ~[?:8.0 build_20201204--193]
    at com.ibm.jsse2.y$c.a(y$c.java:97) ~[?:8.0 build_20201204--193]
    ... 85 more 

My local build works fine with no error but after deployment to the test-server the error occours. Firewall is open for the target.

I hope we can add mor debug to find a solution for the issue.

Answer 1

We've got one step further with a workmate. He enabled SSL-debugging in the wlp and we saw that java took the default certfile. The correct one is configured directly in the wlp. When you take httpClient 4 you build the sslcontext with javax.net.ssl.SSLSocketFactory.getDefault und you get the sslContext of the wlp. But this context isn't working in httpClient 5 and I can't find a translation. So for now we have built back to httpClient 4 and SSL is working.