Resolving PKIX path building failed Error
I am getting this error
detailed message sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
cause javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
i am using tomcat 6 as webserver. i have two https webbapplication installed on different tomcat on differte port but on same machine. Say App1(port 8443) and App2(port 443). App1 connects to App2 .When App1 connects to App2 i get above error. I know this is very common error so came across many solutions on different forums and sites. I have below entry in server.xml of both tomcat i.e
keystoreFile="c:/.keystore"
keystorePass="changeit"
Every site says the same reason that certificate given by app2 is not in the trusted store of app1 jvm. This seems to be true also when i tired to hit the same URL in IE browser, it works(with warming, There is a problem with this web site's security certificate. here i say continue to this website) But when same url is hit by java client(in my case). So i get the above error. So to put it in trustore i tried these tree options i.e
Option1
System.setProperty("javax.net.ssl.trustStore", "C:/.keystore");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
Option2 Setting below in environment variable
CATALINA_OPTS -- param name
-Djavax.net.ssl.trustStore=C:.keystore -Djavax.net.ssl.trustStorePassword=changeit ---param value
Option3 Setting below in environment variable
JAVA_OPTS -- param name
-Djavax.net.ssl.trustStore=C:.keystore -Djavax.net.ssl.trustStorePassword=changeit ---param value
But nothing worked .
What at last worked is executing the java approach suggested in How to handle invalid SSL certificates with Apache HttpClient? by Pascal Thivent i.e executing the program InstallCert.
But this approach is fine for devbox setup but i can not use it at production environment.
I am wondering why three approaches mentioned above did not work when i have mentioned same values in server.xml of app2 server and same values in truststore by setting
System.setProperty("javax.net.ssl.trustStore", "C:/.keystore") and System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
in app1 program.
For more information this is how i am making the connection
URL url = new URL(urlStr);
URLConnection conn = url.openConnection();
if (conn instanceof HttpsURLConnection) {
HttpsURLConnection conn1 = (HttpsURLConnection) url.openConnection();
conn1.setHostnameVerifier(new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
reply.load(conn1.getInputStream());
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
• When I got the error, I tried to Google out the meaning of the expression and I found, this issue occurs when a server changes their HTTPS SSL certificate, and our older version of java doesn’t recognize the root certificate authority (CA).
• If you can access the HTTPS URL in your browser then it is possible to update Java to recognize the root CA.
• In your browser, go to the HTTPS URL that Java could not access. Click on the HTTPS certificate chain (there is lock icon in the Internet Explorer), click on the lock to view the certificate.
• Go to “Details” of the certificate and “Copy to file”. Copy it in Base64 (.cer) format. It will be saved on your Desktop.
• Install the certificate ignoring all the alerts.
• This is how I gathered the certificate information of the URL that I was trying to access.
Now I had to make my java version to know about the certificate so that further it doesn’t refuse to recognize the URL. In this respect I must mention that I googled out that root certificate information stays by default in JDK’s jrelibsecurity location, and the default password to access is: changeit.
To view the cacerts information the following are the procedures to follow:
• Click on Start Button-->Run
• Type cmd. The command prompt opens (you may need to open it as administrator).
• Go to your Java/jreX/bin directory
• Type the following
keytool -list -keystore D:Javajdk1.5.0_12jrelibsecuritycacerts
It gives the list of the current certificates contained within the keystore. It looks something like this:
C:Documents and SettingsNeelanjanaG>keytool -list -keystore D:Javajdk1.5.0_12jrelibsecuritycacerts
Enter keystore password: changeit
Keystore type: jks
Keystore provider: SUN
Your keystore contains 44 entries
verisignclass3g2ca, Mar 26, 2004, trustedCertEntry,
Certificate fingerprint (MD5): A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9
entrustclientca, Jan 9, 2003, trustedCertEntry,
Certificate fingerprint (MD5): 0C:41:2F:13:5B:A0:54:F5:96:66:2D:7E:CD:0E:03:F4
thawtepersonalbasicca, Feb 13, 1999, trustedCertEntry,
Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41
addtrustclass1ca, May 1, 2006, trustedCertEntry,
Certificate fingerprint (MD5): 1E:42:95:02:33:92:6B:B9:5F:C0:7F:DA:D6:B2:4B:FC
verisignclass2g3ca, Mar 26, 2004, trustedCertEntry,
Certificate fingerprint (MD5): F8:BE:C4:63:22:C9:A8:46:74:8B:B8:1D:1E:4A:2B:F6
• Now I had to include the previously installed certificate into the cacerts.
• For this the following is the procedure:
keytool –import –noprompt –trustcacerts –alias ALIASNAME -file FILENAME_OF_THE_INSTALLED_CERTIFICATE -keystore PATH_TO_CACERTS_FILE -storepass PASSWORD
If you are using Java 7:
keytool –importcert –trustcacerts –alias ALIASNAME -file PATH_TO_FILENAME_OF_THE_INSTALLED_CERTIFICATE -keystore PATH_TO_CACERTS_FILE -storepass changeit
• It will then add the certificate information into the cacert file.
It is the solution I found for the Exception mentioned above!!
Or
To resolve a Pkix path building failed error:
Make sure you have imported the public certificate of the target instance into the truststore according to the Connecting to SSL Services instructions.
Make sure any certificates have been imported into the correct truststore; you may have multiple JRE/JDKs. ...
Check to see that the correct truststore is in use.