Google reCAPTCHA required certificate missing in GlassFish 5.1

Question

I have a web application that uses Google reCAPTCHA V2. It works fine in GlassFish 5.0 with JDK 1.8.0_144 and also in WildFly 14 with JDK 1.8.0_231. I deployed it to a GlassFish 5.1 server with JDK 1.8.0_231. Site verification fails with the following exception:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I understand that a required certificate is missing. That certificate is present in the cacerts.jks file of 5.0 but missing in 5.1. Listing their content with keytool, I could see that the cacerts.jks file of version 5.0 has 76 certificates, while the file of version 5.1 has only 2 (glassfish-instance and s1as). Replacing the cacerts.jks file of 5.1 with the file of 5.0 my application works just fine in 5.1.

I couldn't find any information about a required certificate in Google reCAPTCHA's web page. How do I identify and get the required certificate?

Answer 1

I've found a solution. This is it:

1. Open https://www.google.com/recaptcha/api/siteverify using Chrome browser.
2. Click the black padlock located before the address.
3. Click Certificate.
4. Select the Details tab and then click the Copy to File... button; save the certificate to a .cer file. For instance, recaptcha.cer.
5. Import the .cer file into glassfish/domains/domain1/config/cacerts.jks using keytool. This is the command line: keytool -import -file recaptcha.cer -alias recaptcha -keystore GLASSFISH_HOME/glassfish/domains/domain1/config/cacerts.jks -storepass changeit. The keytool.exe file is located at JAVA_HOME/bin.
6. Restart GlassFish

I hope this helps another fellow programmer with no certificate experience.

Warning: the certificate is only valid for about 3 months; The one I got is valid until next January 2. It seems that this procedure will have to be repeated periodically.

EDIT 11/13/2019: This solution worked only for a few days, although the certificate claims to be valid until January. I obtained another certificate and repeated the procedure, but this time it did not work. So I really haven't found a solution yet.