Reputation: 517
PKIX path build error: Not sure I'm creating keystore correctly
I'm getting the following error:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Unknown Source) at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) at sun.security.ssl.Handshaker.processLoop(Unknown Source) at sun.security.ssl.Handshaker.process_record(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) at com.towerdata.api.personalization.TowerDataApi.getJsonResponse(TowerDataApi.java:246) at com.towerdata.api.personalization.TowerDataApi.queryByEmail(TowerDataApi.java:101) at EmailActivityMetricsRequestor.requestTowerData(EmailActivityMetricsRequestor.java:57) at EmailActivityMetricsRequestor.Requestor(EmailActivityMetricsRequestor.java:44) at Main.main(Main.java:21) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(Unknown Source) at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) at sun.security.validator.Validator.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) ... 17 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) at java.security.cert.CertPathBuilder.build(Unknown Source) ... 23 more
I have done the following:
- I updated to JRE8 thinking that the CA might be old
- Changed JRE8 to my build path in eclipse. The first time I did this, it fixed my issues and I was able to make HTTP requests until I closed out of eclipse. Got the same error again after that.
- Downloaded their root cert through google chrome and tried adding it to the keystore by doing the below command (using windows, ran cmd.exe in admin mode)
- I also tried running Eclipse in Admin mode
When I get the details on the websites security that I'm making requests to, 3 certs come up. The rootca, an intermediate, and a 3rd. Do I need all of those certs to make a valid keystore? If so how do I do that. I used the following code below to make a keystore for the rootca but that hasn't fixed my issues.
.\keytool -import -trustcacerts -keystore cacerts -storepass changeit -noprompt -alias alex -file C:\Users\Alex.cauthen\Documents\CA1.cer
EDIT: Also, I'm calling this server's API, meaning I call a method and it makes a request for me. I contacted their support team and they said no one runs into this issue. I don't know if that information is helpful.
javax.net.debug=ssl output for when unsuccessful:
%% Invalidated: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA] main, SEND TLSv1 ALERT: fatal, description = certificate_unknown main, WRITE: TLSv1 Alert, length = 2 main, called closeSocket()
Output for when it is randomly successful:
*** Finished verify_data: { 0, 221, 45, 195, 129, 216, 158, 173, 83, 221, 170, 52 }
%% Cached client session: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] main, WRITE: TLSv1.2 Application Data, length = 264 main, READ: TLSv1.2 Application Data, length = 241
Upvotes: 0
Views: 7592
Answers (2)
Reputation: 517
So I made a very silly error. I did not specify the correct path to cacerts in the command line, so it was creating a folder cacerts in the current directory rather than in the security folder.
Upvotes: 1
Reputation: 310868
You only need to import the root CA certificate, and the command line you're using is correct. So it must be that you're not actually using that file as the trust store. You need to either set the javax.net.ssl.trustStore property to its location or initialize an SSLContext with a TrustManager that it has been loaded into, and proceed from there.
Upvotes: 2
Related Questions
- Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
- Javamail Could not convert socket to TLS GMail
- How to properly import a selfsigned certificate into Java keystore that is available to all Java applications by default?
- Error while connecting Spring Boot App with Vault :PKIX path building failed:sun.security.provider.certpath.SunCertPathBuilderException
- Heroku War Deploy SSL Error
- Spring http client: pkcs12 keystore and trustsrtore on httpclient
- How create okhttp with ssl certificate
- axis client call using SSL
- Java connection to a https URL
- Sending http request to server have exception sometimes happen