SSLHandshakeException: PKIX path building failed

1
votes

I've been trying to debug this error with no luck.

Essentially I'm contacting an external app throught my app. The connection is established fine, the app contacts back my app through a callback URL, then I need to send a final validation to the external app. This last step is failing because of an SSLHandShajeException.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I've had a look at the possible causes, and created a truststore with the external app cert in it following these steps:

  • download the cert chain from the browser
  • creating the truststore with

keytool -import -v -trustcacerts -alias mycert -file x_my_cert_location_x -keystore truststore

  • adding the above trustore in my setenv file
  • restart my tomcat instance.

This has not resolved the problem.

I also added to cert to the cacert file, and the same to the connector in the server.xml file as follows:

<Connector port="${catalina.port.https}" server="Apache" protocol="HTTP/1.1"
           SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS"
           clientAuth="false"
           connectionTimeout="20000"
           compression="on"
           compressionMinSize="200"
           compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json,application/xml"
           enableLookups="false"
           URIEncoding="UTF-8"
           keystoreFile="my_store_location" keystorePass="myPwd"/>

Debugging in the SSL, I can see:

> %% Invalidated: [Session-15, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
> http-nio-8080-exec-9, SEND TLSv1.2 ALERT: fatal, description =
> certificate_unknown http-nio-8080-exec-9, WRITE: TLSv1.2 Alert, length
> = 2 [Raw write]: length = 7 0000: 15 03 03 00 02 02 2E ....... http-nio-8080-exec-9, called closeSocket() http-nio-8080-exec-9,
> handling exception: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target

Which makes no real sense to me. My app is on java 1.8.242. Any advice on this please?

1
javasslhttpclienttruststore
Did you add the cert to: ./jdk1.8.0_24/jre/lib/security/cacertsz atef
You need to define the truststore when configuring the Connector. You don't have any assurance that Tomcat uses default SSLContexts that read the system properties.user207421
I added the cert to the cacerts, but nothing has changed.giovandrea
Also, I did the same with the Connector. I will update the question with those infogiovandrea
I am sure after doing the keytool, it has installed sucessfullyspandey

1 Answers

0
votes

The error suggests that you are missing the certificate of the site you are trying to reach. So..

  • Start your java/tomcat with -Djavax.net.debug=ALL. In the logs you should see lines like these (I stripped out the timestamp etc.):

     trustStore is: {your-cacerts-file} trustStore
 type is: pkcs12
 trustStore provider is: the last modified time is: Tue Feb 02 18:29:33 GMT 2021 
 Reload the trust store
 Reload trust
 Reloaded {x} trust certs adding as trusted certificates
 ( {then you get a big dump of all {x} certs.}

    That way you know for sure if your cacerts is really being read or not.

  • If your file is really being read by Tomcat then write your own small Java program that uses your cacerts file (use -Djavax.net.ssl.trustStore={path-to-my-file}) and the same debug parameter used above. You should see it read in the certificate you added. Then debug from there and maybe repost this smaller case. That isn't the total answer but at least you will have isolated the problem to some degree.