Java error unable to find valid certification path to requested target

How To Fix: PKIX Path Building Failed (Validation) : sun.security.validator.ValidatorException

How To Fix Error : sun.security.validator.ValidatorException: PKIX path building failed:

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

You could get the error “PKIX path building failed” validation error when working on a client that works with an SSL enabled server running in https protocol. This article focuses on detecting the root cause of the error and on how to fix the issue.
There are other similar issues related the SSL certificates. One of the common situation is the missing certificate in trust store. In that case you may see the following error message.

Caused by: java.security.cert.CertificateException: No name matching localhost found at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:210) at sun.security.util.HostnameChecker.match(HostnameChecker.java:77)

See the following article to read more about the above error and its solution.

Table of Contents

The first part of the error, “javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: “, indicates the type of error and the second part of the error message “sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target” gives an indication on what exactly went wrong.
Before diving into the cause and solution let us get some general knowledge 🙂

What is PKIX?

PKIX is Public-Key Infrastructure X.509. PKIX is public key infrastructure standards based on X.509 protocol. X.509 is an ITU-T cryptography standard for a public key infrastructure (PKI) and Privilege Management Infrastructure (PMI). Read references for more details on The PKIX (Public-Key Infrastructure X.509) Working Group (PKIX-WG).

PKIX path building failed : sun.security.validator.ValidatorException

This error is one of the many SSL related errors you may experience when you start developing applications those communicates securely. This happens during one of the SSL Handshake phase. This exception is of type javax.net.ssl.SSLHandshakeException, which indicates that the client and server could not negotiate the desired level of security. The connection is no longer usable.
The complete exception message is below:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

How to Detect PKIX Path Building Failed Error?

Even though this is a common exception while connecting a service over HTTPS, identifying the exact problem without proper debugging configuration is difficult. Unless you enable the SSL handshake debug mode (Java VM parameter -Djavax.net.debug=ssl:handshake) you will not be able to identify the root cause. Without SSL debug enabled you most likely will see the following error.

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)

The above message is more generic and in most cases will not give you the root cause of the issue. Once you enable SSL handshake debug mode you will see the following exception trace:

http-localhost/127.0.0.1:8443-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown http-localhost/127.0.0.1:8443-1, WRITE: TLSv1 Alert, length = 2 http-localhost/127.0.0.1:8443-1, called closeSocket() http-localhost/127.0.0.1:8443-1, javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target http-localhost/127.0.0.1:8443-1, called close() http-localhost/127.0.0.1:8443-1, called closeInternal(true)

The above error indicates a missing trusted certificate in the trusted Java store. Some other cases where, you already have the certificate but there is a problem with its validity, you may see the following error (“timestamp check failed“).

handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.

We will be addressing the first scenario in which there is no certificate available (certificate_unknown).

Unable to Find Valid Certification Path to Requested Target: Possible Reason For The Error

If we look at the phase of the SSL handshake we’re in, we can see that we’ve already sent our client certificate and finishing up the handshake when we receive this error.

2015-02-04 21:59:33,002 INFO [stdout] (http-localhost/127.0.0.1:8443-2) - - *** ServerHelloDone http-localhost/127.0.0.1:8443-2, WRITE: TLSv1 Handshake, length = 865 http-localhost/127.0.0.1:8443-1, READ: TLSv1 Handshake, length = 865 *** ServerHello, TLSv1 RandomCookie: GMT: 1406265764 bytes = < 30, 87, 196, 168, 159, 159, 7, 254, 62, 168, 199, 80, 108, 117, 48, 3, 113, 72, 1, 226, 31, 195, 238, 86, 88, 192, 96, 94 >Session ID: Cipher Suite: SSL_RSA_WITH_RC4_128_MD5 Compression Method: 0 Extension renegotiation_info, renegotiated_connection: *** %% Created: [Session-9, SSL_RSA_WITH_RC4_128_MD5] ** SSL_RSA_WITH_RC4_128_MD5 *** Certificate chain Version: V3 Subject: CN=************************************ Signature Algorithm: SHA1withRSA, OID = ********************* Key: Sun RSA public key, 2048 bits . . *** SEND TLSv1 ALERT: fatal, description = certificate_unknown WRITE: TLSv1 Alert, length = 2 READ: TLSv1 Alert, length = 2 called closeSocket() RECV TLSv1 ALERT: fatal, certificate_unknown called closeSocket() handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The above error stack trace is actually helpful. It says that “unable to find valid certification path to requested target“. This means that the certificate the server certificate is not issued by certification authority, but a self signed or issued by a private CMS. If the certificate is issued by a trusted authority (VeriSign etc) the error will not happen.

Fix for PKIX path building failed Error:sun.security.provider.certpath.SunCertPathBuilderException

All you need to do to fix this error is to add the server certificate to your trusted Java key store. First You need to download the document from the server.

To download: access the URL of the service from any browser.You will get a certificate related warning message. Click on view certificate and then Install certificate. You can export the certificate from browser to some location in hard drive (In IE go to Tools->’Internet Options’ ->Content->Certificates).

Once you have the certificate in your hard drive you can import it to the Java trust store. To import the certificate to the trusted Java key store, you can use the java ‘keytool‘ tool.
Use keytool command as follows to import the certificate to JRE.

keytool -import -alias _alias_name_ -keystore ..\lib\security\cacerts -file _path_to_cer_file

It will ask for a password. By default the password is “changeit”. If the password is different you may not be able to import the certificate.
Note: You can also use the installcert java program from here.
Once completed restart/re-run your client application. You will be able to see successful SSL handshakes.

References:

Incoming search terms:

Источник

SunCertPathBuilderException: Unable to Find Valid Certification Path to Requested Target Error in Java

1. What Is the sun.security.provider.certpath.SunCertPathBuilderException in Java
2. Causes of sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
3. Solution of sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Today’s post will discuss potential reasons for unable to find valid certification path to requested target and its solution in Java.

But, before we continue, you must clearly understand SSL encryption and Certificates since a clear understanding of SSL Certificates is required.

SSL encryption and Certificates: an HTTPS connection cannot function properly without an SSL certificate. Through the use of a set of public and private keys, it substantiates the claimed identity of the service or website.

The private key encrypts or signs everything that is delivered by the domain, and the client apps validate the identification by utilizing the public keys.

What Is the sun.security.provider.certpath.SunCertPathBuilderException in Java

The sun.security.provider.certpath.SunCertPathBuilderException is a class for handling exceptions in Java that checks the server’s SSL certificates that the Java program is attempting to connect to. This class was named after the provider that created the certificates.

The following is the error message shown to the developer when they encounter this issue.

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 

It can be thrown during any action involving visiting an encrypted service using SSL.

SSL-protected APIs and websites are checked for trustworthiness by the Java framework before they can be accessed. This is accomplished by examining its internal trusted list to see whether the root certificate authority signed is in there.

Java throws this error if it can’t discover any reference to the service. Using a self-signed certificate to access a service signed by someone else’s digital signature will always fail.

Causes of sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The only way Java will be able to connect to another program via SSL is if it can trust HTTPS, etc. There is a truststore usually $JAVA HOME/lib/security/cacerts in the Java world where you store your trust certificates.

This exception is triggered by a self-signed certificate or a certificate chain that does not exist in the Java trust store. Java refuses to connect to the application because it does not trust the certificate.

Solution of sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

To begin, determine whether the issue stems from the certificate or the network. To verify this, open the URL in Google Chrome or your preferred browser and see whether it works.

In this case, an invalid certificate setting on the application client must be the source of the exception. There may be a firewall or network settings issue if the browser cannot access it.

Get the server’s SSL Certificate after determining if there’s an issue with the certificate settings. This might be the root certificate in the simplest of circumstances, but in most cases, a certificate chain and intermediate certificate authority are required.

Open your browser and click on the lock in the left upper corner.

Then click on Connection is secure .

At last, you will get the site’s status if it’s valid.

Select the lock symbol next to the URL bar, then click the Connection is secure > Certificate is valid .

Click on the Details section and export a certificate by clicking on the Copy to File button.

Export DER encoded binaries.

Choose the directory where you want to save and name the file.

When you click Finish , you’ll see a message The export was successful .

Start a trust store entry with a new certificate. The key tool utility can be used to do this.

Execute the following command to create a new trust store.

keytool -import -file C:\cascerts\firstCA.cert -alias firstCA -Keystore myTrustStore 

I have been working as a Flutter app developer for a year now. Firebase and SQLite have been crucial in the development of my android apps. I have experience with C#, Windows Form Based C#, C, Java, PHP on WampServer, and HTML/CSS on MYSQL, and I have authored articles on their theory and issue solving. I’m a senior in an undergraduate program for a bachelor’s degree in Information Technology.

Related Article — Java SSL

Related Article — Java Error

Источник