HTTPS client unable to connect - PKIX path building failed but root certificate exists

Question

I have an HTTP client in Java that I getting an SSLHandshakeException with a message of "PKIX path building failed [classname] unable to find valid certification path to requested target"

I searched but all suggestions seem to be that the root CA is not in the truststore. Except that... I tried to add the root certificate to the truststore and keytool said

"Certificate already exists in system-wide CA keystore under alias" with the alias name.

And I got the certificate to try this by going to the site I am trying to hit in a browser (Chrome - but no browsers are complaining of any problems) and I exported the root certificate in the chain. Which I then tried to import with results above (I aborted the import at that time).

I'm not sure how to fix this at this point.

I note that the browser in the certificate chain shows a second certificate for the CA (so CA certificate 1 -> CA certificate 2 -> target certificate) and I guess I can try and import that one but I feel I am shooting in the dark here.

Is there something else I am missing?

Answer 1

In order for a certificate to be considered valid, you must have a complete path from it to a trusted root certificate.

Generally this is accomplished by the server delivering all necessary certs to the client. However, some web servers do not do this, instead only providing their own certificate.

It seems likely that you have encountered such a misconfigured server. Try importing the intermediary certificate into your local trust store, so that the client will be able to build a complete chain from the server cert to the trusted root. Remember also the -trustcacerts option.