Home » Java » java – SSLHandshakeException: PKIX path building failed-Exceptionshub

java – SSLHandshakeException: PKIX path building failed-Exceptionshub

Posted by: admin February 25, 2020 Leave a comment

Questions:

I’ve been trying to debug this error with no luck.

Essentially I’m contacting an external app throught my app. The connection is established fine, the app contacts back my app through a callback URL, then I need to send a final validation to the external app.
This last step is failing because of an SSLHandShajeException.

javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target

I’ve had a look at the possible causes, and created a truststore with the external app cert in it following these steps:

  • download the cert chain from the browser
  • creating the truststore with

keytool -import -v -trustcacerts -alias mycert -file
x_my_cert_location_x -keystore truststore

  • adding the above trustore in my setenv file
  • restart my tomcat instance.

This has not resolved the problem.

I also added to cert to the cacert file, and the same to the connector in the server.xml file as follows:

<Connector port="${catalina.port.https}" server="Apache" protocol="HTTP/1.1"
           SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS"
           clientAuth="false"
           connectionTimeout="20000"
           compression="on"
           compressionMinSize="200"
           compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json,application/xml"
           enableLookups="false"
           URIEncoding="UTF-8"
           keystoreFile="my_store_location" keystorePass="myPwd"/>

Debugging in the SSL, I can see:

> %% Invalidated: [Session-15, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
> http-nio-8080-exec-9, SEND TLSv1.2 ALERT: fatal, description =
> certificate_unknown http-nio-8080-exec-9, WRITE: TLSv1.2 Alert, length
> = 2 [Raw write]: length = 7 0000: 15 03 03 00 02 02 2E ....... http-nio-8080-exec-9, called closeSocket() http-nio-8080-exec-9,
> handling exception: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target

Which makes no real sense to me. My app is on java 1.8.242. Any advice on this please?

How to&Answers: