Reputation: 10584
No X509TrustManager Implementation available
I am invoking an AWS API, I keep running into following error
Exception in thread "main" com.amazonaws.AmazonClientException: Unable to execute HTTP request: java.security.cert.CertificateException: No X509TrustManager implementation available
at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:709)
at com.amazonaws.http.AmazonHttpClient.doExecute(AmazonHttpClient.java:449)
at com.amazonaws.http.AmazonHttpClient.executeWithTimer(AmazonHttpClient.java:411)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:360)
at com.amazonaws.services.kms.AWSKMSClient.doInvoke(AWSKMSClient.java:2723)
at com.amazonaws.services.kms.AWSKMSClient.invoke(AWSKMSClient.java:2693)
at com.amazonaws.services.kms.AWSKMSClient.generateDataKey(AWSKMSClient.java:1488)
at com.infor.aws.KMSTest.createDEK(KMSTest.java:217)
at com.infor.aws.KMSTest.main(KMSTest.java:144)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No X509TrustManager implementation available
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
at com.amazonaws.http.conn.ssl.SdkTLSSocketFactory.connectSocket(SdkTLSSocketFactory.java:132)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.amazonaws.http.conn.ClientConnectionManagerFactory$Handler.invoke(ClientConnectionManagerFactory.java:76)
at com.amazonaws.http.conn.$Proxy2.connect(Unknown Source)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
at com.amazonaws.http.apache.client.impl.SdkHttpClient.execute(SdkHttpClient.java:72)
at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:854)
at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:697)
... 8 more
Caused by: java.security.cert.CertificateException: No X509TrustManager implementation available
at sun.security.ssl.DummyX509TrustManager.checkServerTrusted(SSLContextImpl.java:1119)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
... 35 more
I have gone through multiple threads here on Stackoverflow and added all the required truststore, truststoretype system properties. This thread I have tried. But nothing is working. Has anyone come across this ? I am invoking it like below
TrustManagerFactory tmf = TrustManagerFactory
.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyStore ks = KeyStore.getInstance("BCFKS");
ks.load(new FileInputStream("<jre-home>\\\\lib\\\\security\\\\cacerts"), "changeit".toCharArray());
tmf.init(ks);
// Get hold of the trust manager
X509TrustManager x509Tm = null;
for (TrustManager tm : tmf.getTrustManagers()) {
if (tm instanceof X509TrustManager) {
x509Tm = (X509TrustManager) tm;
break;
}
}
Upvotes: 16
Views: 33626
Answers (4)
Reputation: 19110
I was having this problem when my application was trying to do a HTTPS connection with AWS SQS.
The reason of the issue was a customization in the startup script of the application, that was changing the trustStore values:
-Djavax.net.ssl.trustStoreProvider=<PROVIDER>
-Djavax.net.ssl.trustStoreType=<TYPE>
In my case, I just commented the customized values, so Java could use the default values.
Upvotes: 0
Reputation: 1027
In my case, I was invoking a SOAP service that needed SSL authentication before my truststore was built. So the service call didn't have a certificate or at least a fully formed one and that caused the service invocation to fail with this error.
When I moved the spring initialization first, then trust store building, and finally service call, that fixed it. To create a certificate, you can do the following:
KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(null, null);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
FileInputStream fis = null;
FileOutputStream fos = null;
fis = new FileInputStream(<your cert file>);
X509Certificate certificate = (X509Certificate)cf.generateCertificate(fis);
fis.close();
trustStore.setCertificateEntry(<cert name/alias>, certificate);
fos = new FileOutputStream(<path of the file to write to>);
// "changeit" is the default password that is used.
trustStore.store(fos, "changeit".toCharArray());
fos.close();
If it is PKCS12 that you want, replace it in the place of JKS.
Upvotes: 0
Reputation: 41
After debuggging for several hours, it turned out to be a corrupted keystore in my case. Check if you can list the contents of the keystore using the keytool command.
Upvotes: 4
Reputation: 10584
This was resolved when we moved the AWS-client initialization to a place after setting the trust store password. In my code, I was creating AWS-Client too early.
Upvotes: 1
Related Questions
- AWS Java SDK SSL Certificates
- java.security.NoSuchAlgorithmException: X509 KeyManagerFactory not available
- X509TrustManager checkServerTrusted with TLSv1.3
- Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No X509TrustManager implementation available in java(spring)
- Implementing X509TrustManager
- Truststore in AWS IoT java client?
- Restore SSL X509TrustManager in Java
- Keep getting No X509TrustManager implementation available error when trying to connect to web socket server
- Cannot find javax.crypto
- "SunX509 TrustManagerFactory not available" on AIX (SSL webservice client)