Reputation: 69
SSL Error: unable to find valid certification path to requested target
I am trying to connect to a url through my server that requires certificate. I have imported my Client Authentication Certificate to {JAVA_HOME}/jre/bin/security/cacerts and also i have placed it in the keystore in Jboss/bin and jboss/server/conf/ then i restarted my server and it is still giving me the folowing error.
Caused by: java.io.IOException: Could not transmit message
at org.jboss.ws.core.client.HTTPRemotingConnection.invoke(HTTPRemotingConnection.java:265)
at org.jboss.ws.core.client.SOAPProtocolConnectionHTTP.invoke(SOAPProtocolConnectionHTTP.java:71)
at org.jboss.ws.core.CommonClient.invoke(CommonClient.java:340)
at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:290)
... 40 more
Caused by: org.jboss.remoting.CannotConnectException: Can not connect http client invoker after 1 attempt(s)
at org.jboss.remoting.transport.http.HTTPClientInvoker.makeInvocation(HTTPClientInvoker.java:249)
at org.jboss.remoting.transport.http.HTTPClientInvoker.transport(HTTPClientInvoker.java:161)
at org.jboss.remoting.MicroRemoteClientInvoker.invoke(MicroRemoteClientInvoker.java:165)
at org.jboss.remoting.Client.invoke(Client.java:1724)
at org.jboss.remoting.Client.invoke(Client.java:629)
at org.jboss.ws.core.client.HTTPRemotingConnection.invoke(HTTPRemotingConnection.java:243)
... 43 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
at org.jboss.remoting.transport.http.HTTPClientInvoker.getOutputStream(HTTPClientInvoker.java:1214)
at org.jboss.remoting.transport.http.HTTPClientInvoker.useHttpURLConnection(HTTPClientInvoker.java:334)
at org.jboss.remoting.transport.http.HTTPClientInvoker.makeInvocation(HTTPClientInvoker.java:231)
... 48 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
... 62 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
... 68 more
I want to ask what can i do to fix it? Do i need to put another one of these in server.xml for this certificate:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150"
scheme="https" secure="false" strategy="ms" address="${jboss.bind.address}"
keystoreFile="${jboss.server.home.dir}/conf/.keystore"
keystorePass="changeit" sslProtocol="TLS"
truststoreFile="/usr/lib/jvm/java-6-sun-1.6.0.10/jre/lib/security/cacerts"
truststorePass="*****"
SSLImplementation="org.jsslutils.extra.apachetomcat6.JSSLutilsImplementation"
acceptAnyCert="true" clientAuth="want" />
or am i making anyother mistake?
Upvotes: 6
Views: 32784
Answers (4)
Reputation: 4767
I was facing this issue because of the disabled TLSv1.2 protocol. I have solved it by adding TLSv1.2 in VM arguments. Below are the steps to enable protocol
You need to add this line in vm arguments -- > -Dhttps.protocols=TLSv1.1,TLSv1.2
Go to servers tab in eclipse >> double click on wildfly >> Open launch configuration >> paste above line in vm arguments in the end.
Upvotes: 1
Reputation: 48298
I know you said you already imported the certificate, but take a look at these steps to see if you missed a step somewhere:
Here's an overall summary of how to import certificates to fix the following error:
Error while trying to execute request. javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
How to import certificates
- Go to URL in your browser, click on HTTPS certificate chain (little lock symbol next to URL address) to export the certificate
- Click "more info" > "security" > "show certificate" > "details" > "export..".
- Save as
.der - Repeat for any certificates you need to import
- Locate $JAVA_HOME/jre/lib/security/cacerts
Import all *.der files into the cacerts file using the following:
sudo keytool -import -alias mysitestaging -keystore $JAVA_HOME/jre/lib/security/cacerts -file staging.der sudo keytool -import -alias mysiteprod -keystore $JAVA_HOME/jre/lib/security/cacerts -file prod.der sudo keytool -import -alias mysitedev -keystore $JAVA_HOME/jre/lib/security/cacerts -file dev.derThe default keystore password is 'changeit'
You can view the change that you made with this command that shows the Certificate fingerprint.
keytool -list -keystore $JAVA_HOME/jre/lib/security/cacertsIf this doesn't solve the problem, try adding these java options as arguments:
-Djavax.net.ssl.trustStore="$JAVA_HOME/jre/lib/security/cacerts" -Djavax.net.ssl.trustStorePassword="changeit"
Upvotes: 9
Reputation: 356
If it is a client certificate, then you need to put it in your truststore; if it is a server certificate then it goes in your keystore. Also, in case your certificate has intermediate CA Certificates, you need to add them too.
Upvotes: -2
Reputation: 5623
For SSL Web service configuration we must make this steps:
1) insert CA certificates into a keystore you can put this to JVM or put this into the jre security directory, or you can import to the jre default keystore.
2) import authentification certificate with a key into the keystore (it might be java keystore or another one). keystore can be jks too, not only pkcs12. I have tested and jks works well too.
3) Tell JVM that you need that keystore - when we are starting Jboss. It can be something like this (in my case it looks like this):
> "-Dprogram.name=JBossTools: JBoss 4.0 CLONE OF ESS SERVER" -server
> -Xms256m -Xmx512m -XX:MaxPermSize=256m -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 "-Djava.endorsed.dirs=..\jboss-4.0.2\lib\endorsed"
> "-Djavax.net.ssl.keyStore=../Java/jdk1.6.0_45/jre/lib/security/cacerts"
> "-Djavax.net.ssl.keyStorePassword=changeit"
Also certificates can be der encodded or base 64. it means that you might need to convert certificates with open SSL and etc. Also another problem is that sometimes convertation might cause problems, so you can use such a script for more easy and flexible convertations.
Upvotes: 0
Related Questions
- Unable to find valid certification path to requested target - error even after cert imported
- Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
- "PKIX path building failed" and "unable to find valid certification path to requested target"
- Getting error: PKIX path building failed: unable to find valid certification path to requested target
- javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed
- Java "sun.security.validator.ValidatorException: PKIX path building failed" certificate validation error
- Tomcat SSL: unable to find valid certification path to requested target
- The site's security certificate is not trusted with openssl
- javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
- Validating a certificate in java throws an exception - unable to find valid certificate path to requested target