PKIX path building failed, but the certificate is in cacerts

12
votes

I have the problem that is also described here. The thing is that I created a certificate and added it to the keystore of tomcat, and then I copied it to the cacerts truststore. However, somehow I still get this error.

What I have done:

1) keytool -genkey -alias cas -keyalg RSA -keystore cas.keystore -storepass changeit

2) keytool -exportcert -alias cas -file cas.crt -keystore cas.keystore

Step 2) because I wanted to put the certificate in my tomcat keystore and cacerts

3) keytool -import -alias cas -file cas.crt -keystore "C:\Program Files\Java\jdk1.8.0_77\jre\lib\security\cacerts"

4) keytool -import -alias cas -file "C:\Program Files\Java\jdk1.8.0_7\jre\bin\cas.crt" -keystore "D:\portal\apache-tomcat-8.0.3\conf\portal.keystore"

So now with step 3 and 4 I added the certificate in my tomcat keystore and the truststore cacerts.

Now I can list my trust- and keystore

With this command..

keytool -list -v -keystore "C:\Program Files\Java\jdk1.8.0_77\jre\lib\security\cacerts" -alias cas

... I get this:

Keystore-Kennwort eingeben:
Aliasname: cas
Erstellungsdatum: 09.09.2016
Eintragstyp: trustedCertEntry

Eigentümer: CN=xxx, OU=xxx, O=xxx, L=xxx, ST=xxx, C=xxx
Aussteller: CN=xxx, OU=xxx, O=xxx, L=xxx, ST=xxx, C=xxx
Seriennummer: xxx
Gültig von: Fri Sep 09 10:40:55 CEST 2016 bis: Thu Dec 08 09:40:55 CET 2016
Zertifikat-Fingerprints:
         MD5:  ....
         SHA1: ....
         SHA256: ....
         Signaturalgorithmusname: SHA256withRSA
         Version: 3

Erweiterungen:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [...
]
]

And with this:

keytool -list -v -keystore "D:\portal\apache-tomcat-8.0.30\conf\portal.keystore" -alias cas

I get this:

Keystore-Kennwort eingeben:

Keystore-Typ: JKS
Keystore-Provider: SUN

Keystore enthält 1 Eintrag

Aliasname: cas
Erstellungsdatum: 09.09.2016
Eintragstyp: trustedCertEntry

    Eigentümer: CN=xxx, OU=xxx, O=xxx, L=xxx, ST=xxx, C=xxx
    Aussteller: CN=xxx, OU=xxx, O=xxx, L=xxx, ST=xxx, C=xxx
Seriennummer: ...
Gültig von: Fri Sep 09 10:40:55 CEST 2016 bis: Thu Dec 08 09:40:55 CET 2016
Zertifikat-Fingerprints:
         MD5:  ...
         SHA1: ...
         SHA256: ...
         Signaturalgorithmusname: SHA256withRSA
         Version: 3

Erweiterungen:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
]

]

If it is not clear: the certificates (cas) are the same.

So my impression was that the certificate is now in the keystore of the tomcat server and the truststore cacerts. But somehow I still get this exception when I entered my credentials on the CAS server and get redirected (full stacktrace bellow):

HTTP Status 500 - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

These are my connectors in my tomcats server.xml:

<Connector port="8743" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
               maxThreads="150" scheme="https" keystoreFile="${catalina.base}/conf/portal.keystore" keystorePass="changeit" 
               secure="true" connectionTimeout="240000" 
               clientAuth="false" sslProtocol="TLS" allowUnsafeLegacyRenegotiation="true" />

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8309" protocol="AJP/1.3" redirectPort="8743" />

What is the possible cause of my problem? All the other threads like the one mentioned in the beginning point out that the OP did not import the certificate to the cacerts file, but I did.

The full stacktrace:

09-Sep-2016 12:05:30.146 SEVERE [http-bio-8743-exec-4] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [default] in context with path [/cas-sample] threw exception
 java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:443)
    at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41)
    at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193)
    at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:521)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:279)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1513)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
    at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:429)
    ... 20 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
    ... 33 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
    ... 39 more
3
javasslhttpscas
Can you change your keystore file location to use cas.keystore in the connector ?s7vr

3 Answers

4
votes

My problem was quite unexpected. I had a Tomcat that had an modified setenv.bat that had options that pointed on another location of a keystore. I didn't know much about Tomcat and application servers in general so I couldn't figure that out earlier.

3
votes

Your Connector element defines a keystore. That's a place where private keys and their certificates will be looked for.

Your exception concerns a truststore, which is a place where trusted CA certs are or are not found.

You need to define the truststore used by Tomcat somehow, either via configuration or via the javax.net.ssl.trustStore system property.

2
votes

You can navigate to the tomcat/bin directory. Modify catalina.sh (or catalina.bat depending on your os).

Add the below properties to JAVA_OPTS.

JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=$CATALINA_HOME/certificates/truststore.ks -Djavax.net.ssl.trustStorePassword=truststorePassword -server"

I just recently had to fight through some truststore/keystore issues myself. A tool I found very helpful for easily viewing/modifying trust/keystores is keystore explorer.