0
votes

I have 2 apps installed on 2 different servers (1) hosted in glassfish (2) a batch server (standalone java app). Both apps are using a common java program (in form of a jar file) to call an external server. I am using 'CloseableHttpClient' to make connection to that external third party server. from my server one (glassfish) I am able to call and get response from the external server but same program on batch server is throwing below SSL exceptoion

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1747) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1209) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:135) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:943) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1215) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1199) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:290) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:259) at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:125) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:319) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:363) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:219) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106) at com.csid.sms.util.postup.PostUpRestClient.executeRequest(PostUpRestClient.java:169) at com.csid.sms.util.postup.PostUpRestClient.executeJsonPost(PostUpRestClient.java:134) at com.csid.sms.util.postup.PostUpRestClient.executeJsonRequest(PostUpRestClient.java:106) at com.csid.sms.util.postup.PostUpEmailRoute.triggerMessage(PostUpEmailRoute.java:213) at itm.monitor.SummaryEmailPostupRoute.triggerMessage(SummaryEmailPostupRoute.java:154) at com.csid.sms.messaging.MessagingHandler.triggerMessage(MessagingHandler.java:60) at itm.monitor.SummaryEmailRoute.sendEmail(SummaryEmailRoute.java:49) at itm.monitor.BatchEmailProcessor.sendEmail(BatchEmailProcessor.java:105) at itm.monitor.BatchEmailProcessor.call(BatchEmailProcessor.java:51) at itm.monitor.BatchEmailProcessor.call(BatchEmailProcessor.java:33) at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303) at java.util.concurrent.FutureTask.run(FutureTask.java:138) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:439) at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303) at java.util.concurrent.FutureTask.run(FutureTask.java:138) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918) at java.lang.Thread.run(Thread.java:662) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217) at sun.security.validator.Validator.validate(Validator.java:218) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1188) ... 37 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318) ... 43 more

Note - this exception is being thrown only from batch server not from the admin server (hosted in glassfish).

After googling this error found that certificate obtained by external server might not be issued by some trusted authority so i imported certificate by using 'installCert' (this java program).

Now verified the certificate in cacert using keytool command

keytool -list -keystore cacerts

and i can see that external certificate is listed in trusted certificates list. but still getting above SSL exception.

Any thoughts guys? why i am not getting any sort of SSL expectation from admin server (glassfish) which is also using same java code? Does glassfish automatically imports certificates just like browsers do?

2

2 Answers

0
votes

Your batch program and your admin application are probably behaving differently because they are using different JRE's. Every JRE has its own cacerts.

0
votes

You need to verify if the JRE is really using the trust store where you have imported the certificate.
Add the JVM runtime argument "-Djavax.net.debug=all" and restart the server. This will print the trust stores loaded by the JVM when the server is started.