Java error, how do I know which is the missing certificate? "unable to find valid certification path to requested target"

Question

I'm trying to load a page through SSL, and I'm getting this error:

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Of course, I researched about it and it has something to do with the certificate of the page not being included in the java distribution I downloaded. Here's the ceritifcate hierarchy for the site I'm loading:

The first one (global sign) is, of course, included in the system. But what is "Trusted Root CA SHA256 G2"? Firefox says it's signed by GlobalSign. Also, could ICPEdu be the missing certificate? If so, how do I add it to the list of trusted certificates inside my java code?

But wait a moment... Since GlobalSign is trusted, shouldn't every certificate below be trusted too?

As pointed in the answer, here's the ssl debug:

Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://secure.globalsign.com/cacert/icpedusha2g2.crt
, 
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp2.globalsign.com/icpedusha2g2
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 95 F0 A4 84 1A A7 5C 20   36 A6 C5 08 D7 65 42 02  ......\ 6....eB.
0010: E5 77 68 E3                                        .wh.
]
]

[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.globalsign.com/gs/icpedusha2g2.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.2]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 26 68 74 74 70 73 3A   2F 2F 77 77 77 2E 67 6C  .&https://www.gl
0010: 6F 62 61 6C 73 69 67 6E   2E 63 6F 6D 2F 72 65 70  obalsign.com/rep
0020: 6F 73 69 74 6F 72 79 2F                            ository/

]]  ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: www.parthenon.biblioteca.unesp.br
  DNSName: parthenon.biblioteca.unesp.br
]

[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 6D BE 57 72 E3 B5 BD A2   0E 16 E3 A9 2F 8B E7 87  m.Wr......../...
0010: F1 4B 27 75                                        .K'u
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 2D 83 5B 63 56 82 77 74   FB EF 40 C1 7A 88 9B 1B  -.[cV.wt..@.z...
0010: 34 37 79 4E 28 A4 79 18   69 25 FE 52 90 B4 79 B7  47yN(.y.i%.R..y.
0020: 90 00 58 CE 21 E6 96 BC   E7 5B C3 5D 41 38 51 5E  ..X.!....[.]A8Q^
0030: B5 DA D2 EA F6 44 83 FA   B7 A8 66 90 77 C9 96 3D  .....D....f.w..=
0040: 72 AE 05 5C F2 19 AE 36   43 F6 A5 DF E2 E5 F8 50  r..\...6C......P
0050: D3 CC EF AE 79 29 19 F6   F8 63 C0 26 E9 0C FA 86  ....y)...c.&....
0060: 30 1D BF 00 69 C8 E9 B5   B6 16 BE 6B 5F 63 5B AD  0...i......k_c[.
0070: F5 B4 18 82 0C 53 ED 36   AB 38 61 8B 80 C9 8C 62  .....S.6.8a....b
0080: E6 20 E3 CB 5A 2A 91 C2   CA 6A BE 31 B6 CB 65 57  . ..Z*...j.1..eW
0090: 33 47 43 9A B4 33 5B 45   D9 5E ED C6 7C 2B 0D B3  3GC..3[E.^...+..
00A0: E6 4C 5F 85 EF D0 BE CD   02 1B 6B C1 06 2F 7B F6  .L_.......k../..
00B0: C0 B7 C4 68 F1 F6 92 2B   A4 B6 85 08 32 7C 8D 9F  ...h...+....2...
00C0: 34 7D 08 5B B4 05 51 C8   E6 C4 29 86 04 32 FA 2B  4..[..Q...)..2.+
00D0: 18 42 56 43 88 DB EE 32   5F CE 8D 88 5E 91 C1 72  .BVC...2_...^..r
00E0: CB 0F FE F3 CA 55 D3 A4   40 57 E0 13 03 3F C9 16  .....U..@W...?..
00F0: 1F FC 31 28 CB 68 06 9F   0F 3A D2 3A 91 65 B2 D8  ..1(.h...:.:.e..

]
***
%% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
main, SEND TLSv1 ALERT:  fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
main, called close()
main, called closeInternal(true)
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Answer 1

The server is www.parthenon.biblioteca.unesp.br is not sending its intermediate certificates in the handshake.

The server admin can correct this by supplying the missing intermediate certificates in the server config.

Answer 2

I think the best thing for you would be to take a look at exactly what is sent from the server to the client. You can get the certificate chain sent to the browser and parse it using openSSL or better yet through online parsers like: http://developerutils.com/X509CertificateDecoder.php

And you can add to the server logging options: -Djavax.net.debug=ssl,handshake to see the entire handshake process.

This should help you figure out exactly what's going on.

Regarding the chain itself: it a chain is sent and the root of the chain is in the list of trusted CAs, the rest of the chain is trusted - unless one of the certificates in the chain is revoked or expired.