PKIX path building failed: unable to find valid certification path to requested target

arstech Leave a Comment

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

How to fix “PKIX path building failed” error.

Make sure CA certificates have been imported into the correct truststore (cacerts file). If trusted CA certificate is missing then this could be the reason for the error.

What is cacerts file?

The cacerts file trust store where is a collected trusted certificate authority (CA) certificates used to authenticate peers.

By default the cacerts file is located in jre/lib/security/cacerts, and default password is ‘changeit‘. But in your case you can have cacerts file in other locations (or cacerts file may be renamed). Also it depends OS or Java version. Any way we need determine cacerts location.

How to find out what truststore in system using your JVM?

The easiest way to find truststore file name and location is enable SSL debugging.

 

How to Enable SSL debugging for Java program that makes SSL connections.

You can use the-Djavax.net.debug=ssl as a Java argument when starting Java client application. In this example i used SSLPoke.

java -Djavax.net.debug=ssl -Djava.security.debug=access:stack SSLPoke https://google.com 443

As result you will have result something like this:

trustStore is: /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/security/jssecacerts

So in my case truststore cacerts file name is: jssecacerts and location is: /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/security/

Java SSL debugging

Download/Export CA certificate and import to the trustStore file

If your trusted CA certificate is missing, You need to add the CA certificate for your truststore file that used by JVM. You can get CA certificate by downloading it with Mozilla Firefox browser.

For downloading/export Root CA in Certificate Viewer “Details” tab chose certificate which you need export, and choose the “X.509 Certificate (DER)” type to export file with a .der extension.

 

Download CA certificate

Next import .der certificate file into our trustStore file:

keytool -import -alias example -keystore /path/to/cacerts -file GlobalSignRootCA-R2.der

(I used GlobalSignRootCA-R2.der as example)

You will be prompted for a password, use ‘changeit’

Now try restart JVM and test again. Problem with PKIX path building failed should fixed

arstech

More Posts

Leave a Reply