CODEWITHSUNDEEP
sparqlrdfgraphdb
Mark Miller
Mark Miller

Reputation: 3096

unable to find valid certification path to requested target (when loading RDF from URL)

I am trying to load some triples from URLs into GraphDB 9.1.1. I have done that in the past without any problem, using the web based Workbench, or via the rest/data/import/upload/<repository>/url endpoint.

An exmple URL is https://bitbucket.org/uamsdbmi/dron/raw/master/dron-full.owl

When I tried loading triples today, I get

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I have GraphDB 9.5.0 running on my laptop and can load triples from URLs there. I may not necessarily have implemented all of the same security measures that my scientific computing department uses on their servers.

Partially in response to the answer from A'B, the enterprise server is using

java version "1.8.0_144"
Java(TM) SE Runtime Environment (build 1.8.0_144-b01)
Java HotSpot(TM) 64-Bit Server VM (build 25.144-b01, mixed mode)

and my laptop is using

openjdk version "1.8.0_265"
OpenJDK Runtime Environment (AdoptOpenJDK)(build 1.8.0_265-b01)
OpenJDK 64-Bit Server VM (AdoptOpenJDK)(build 25.265-b01, mixed mode)

Upvotes: 0

Views: 10967

Answers (2)

Mark Miller
Mark Miller

Reputation: 3096

Our scientific computing servers do some proxying/filtering/redirection of unrecognized URLs, so there was indeed a mismatch between the certificate associated with the local proxy server and the certificate provided by the download's source (butbucket.com)

Upvotes: 0

A&#39;B
A&#39;B

Reputation: 535

sun.security.provider.certpath.SunCertPathBuilderException are usually caused by missing intermediate SSL certificates: you may want to cross-check your URLs using https://www.ssllabs.com/ssltest/analyze.html.

If that is actually the case, your options are:

  1. enable automatic intermediate certificate download by setting the following JVM option (see https://security.stackexchange.com/a/168061):
    -Dcom.sun.security.enableAIAcaIssuers=true
  1. manually download missing public certificates and add them to the keystore using keytool along the following lines (copied from old notes, your mileage may vary…), making sure to target the JRE installation used by GraphDB:
     sudo $JAVA_HOME/bin/keytool \
        -import -alias "{your alias here}" -file {public certificate here}.crt \
        -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit

Upvotes: 1

Related Questions