SSL Error: unable to find valid certification path to requested target

user2367636 picture user2367636 · Jul 5, 2013 · Viewed 26.5k times · Source

I am trying to connect to a url through my server that requires certificate. I have imported my Client Authentication Certificate to {JAVA_HOME}/jre/bin/security/cacerts and also i have placed it in the keystore in Jboss/bin and jboss/server/conf/ then i restarted my server and it is still giving me the folowing error.

Caused by: java.io.IOException: Could not transmit message
    at org.jboss.ws.core.client.HTTPRemotingConnection.invoke(HTTPRemotingConnection.java:265)
    at org.jboss.ws.core.client.SOAPProtocolConnectionHTTP.invoke(SOAPProtocolConnectionHTTP.java:71)
    at org.jboss.ws.core.CommonClient.invoke(CommonClient.java:340)
    at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:290)
    ... 40 more
Caused by: org.jboss.remoting.CannotConnectException: Can not connect http client invoker after 1 attempt(s)
    at org.jboss.remoting.transport.http.HTTPClientInvoker.makeInvocation(HTTPClientInvoker.java:249)
    at org.jboss.remoting.transport.http.HTTPClientInvoker.transport(HTTPClientInvoker.java:161)
    at org.jboss.remoting.MicroRemoteClientInvoker.invoke(MicroRemoteClientInvoker.java:165)
    at org.jboss.remoting.Client.invoke(Client.java:1724)
    at org.jboss.remoting.Client.invoke(Client.java:629)
    at org.jboss.ws.core.client.HTTPRemotingConnection.invoke(HTTPRemotingConnection.java:243)
    ... 43 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
    at org.jboss.remoting.transport.http.HTTPClientInvoker.getOutputStream(HTTPClientInvoker.java:1214)
    at org.jboss.remoting.transport.http.HTTPClientInvoker.useHttpURLConnection(HTTPClientInvoker.java:334)
    at org.jboss.remoting.transport.http.HTTPClientInvoker.makeInvocation(HTTPClientInvoker.java:231)
    ... 48 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
    at sun.security.validator.Validator.validate(Validator.java:218)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
    ... 62 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
    ... 68 more

I want to ask what can i do to fix it? Do i need to put another one of these in server.xml for this certificate:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150"
   scheme="https" secure="false" strategy="ms" address="${jboss.bind.address}"
   keystoreFile="${jboss.server.home.dir}/conf/.keystore"
   keystorePass="changeit" sslProtocol="TLS"
   truststoreFile="/usr/lib/jvm/java-6-sun-1.6.0.10/jre/lib/security/cacerts"
   truststorePass="*****"
   SSLImplementation="org.jsslutils.extra.apachetomcat6.JSSLutilsImplementation"
   acceptAnyCert="true" clientAuth="want" />

or am i making anyother mistake?

Answer

Katie picture Katie · Oct 18, 2016

I know you said you already imported the certificate, but take a look at these steps to see if you missed a step somewhere:

Here's an overall summary of how to import certificates to fix the following error:

Error while trying to execute request. javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

How to import certificates

  1. Go to URL in your browser, click on HTTPS certificate chain (little lock symbol next to URL address) to export the certificate
    • Click "more info" > "security" > "show certificate" > "details" > "export..".
    • Save as .der
    • Repeat for any certificates you need to import
  2. Locate $JAVA_HOME/jre/lib/security/cacerts
  3. Import all *.der files into the cacerts file using the following:

    sudo keytool -import -alias mysitestaging -keystore $JAVA_HOME/jre/lib/security/cacerts -file staging.der
    sudo keytool -import -alias mysiteprod -keystore  $JAVA_HOME/jre/lib/security/cacerts -file prod.der
    sudo keytool -import -alias mysitedev -keystore  $JAVA_HOME/jre/lib/security/cacerts -file dev.der
    
  4. The default keystore password is 'changeit'

  5. You can view the change that you made with this command that shows the Certificate fingerprint.

    keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts
    
  6. If this doesn't solve the problem, try adding these java options as arguments:

    -Djavax.net.ssl.trustStore="$JAVA_HOME/jre/lib/security/cacerts"
    -Djavax.net.ssl.trustStorePassword="changeit"