0

I´m facing a strange issue.

We have a valid certificate from a trusted root CA - in concrete USERTrust RSA Certification Authority for server-01.

When i visit the API in the browser for server-01, everything`s fine.
We have a certificate chain with the above root CA und then a intermediate one.

When i use this code:

return reactiveWebClient
                .get()
                .uri(uri.toString())
                .retrieve()
                .bodyToFlux(IncomingMessage.class);

It fails with this exception: org.springframework.web.reactive.function.client.WebClientRequestException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path

When i try another server-02 in our infrastructure the above reactiveWebClient works.
This server-02 has also a valid certificate but from another issuer CA.

The intermediate CA from server-01 is:
GEANT OV RSA CA 4

The intermediate CA from server-02 is:
DFN-Verein Certification Authority 2

Please note:

Both server have valid certificates. openssl command verifies this.

For my understanding somethings wrong with the first server-01 intermediate certificate.

How can i handle this?

Please note:

I don´t want to install the whole cert in the JDK´s trusted certificates as we have to exchange all server certificates on a yearly basis.

Thomas Lang
  • 1,285
  • 17
  • 35
  • 1
    Make sure required CA is added to the JVM trust store. In addition, you can use `-Djavax.net.debug=all` system property to troubleshoot TLS https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html – Alex Mar 01 '23 at 15:48
  • The "problem" on adding it to the truststore is that we have several stage machines (deploy, test, dev, prod) where it would have been to be added to. Besides that we are forced to change certificates yearly. So this means a lot of work. In the meantime i got it to work by this suggestion: https://stackoverflow.com/a/53147631/7320372 – Thomas Lang Mar 03 '23 at 06:17

0 Answers0