debugjavaCritical
Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
Viewed 0 times
netjavaxerrorpkixresolvingsslhandshakeexceptionbuildingsunsslvalidatorexception
Problem
Edit : I tried to format the question and accepted answer in more presentable way at my blog.
Here is the original issue.
I am getting this error:
detailed message sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
cause javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
I am using Tomcat 6 as webserver. I have two HTTPS web applications installed on different Tomcats on different ports but on the same machine. Say App1 (port 8443) and App2 (port 443). App1 connects to App2. When App1 connects to App2 I get the above error. I know this is a very common error so came across many solutions on different forums and sites. I have the below entry in
Every site says the same reason that certificate given by app2 is not in the trusted store of app1 jvm. This seems to be true also when I tried to hit the same URL in IE browser, it works (with warming, There is a problem with this web site's security certificate. Here I say continue to this website). But when same URL is hit by Java client (in my case) I get the above error. So to put it in the truststore I tried these three options:
Option 1
Option 2
Setting below in environment variable
Option 3
Setting below in environment variable
```
JAVA_OPTS -- param name
-Djavax.net.ssl.trustStore=C:\.keystore -Djavax.net.ssl.trustStorePassword=cha
Here is the original issue.
I am getting this error:
detailed message sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
cause javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
I am using Tomcat 6 as webserver. I have two HTTPS web applications installed on different Tomcats on different ports but on the same machine. Say App1 (port 8443) and App2 (port 443). App1 connects to App2. When App1 connects to App2 I get the above error. I know this is a very common error so came across many solutions on different forums and sites. I have the below entry in
server.xml of both Tomcats:keystoreFile="c:/.keystore"
keystorePass="changeit"Every site says the same reason that certificate given by app2 is not in the trusted store of app1 jvm. This seems to be true also when I tried to hit the same URL in IE browser, it works (with warming, There is a problem with this web site's security certificate. Here I say continue to this website). But when same URL is hit by Java client (in my case) I get the above error. So to put it in the truststore I tried these three options:
Option 1
System.setProperty("javax.net.ssl.trustStore", "C:/.keystore");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");Option 2
Setting below in environment variable
CATALINA_OPTS -- param name
-Djavax.net.ssl.trustStore=C:\.keystore -Djavax.net.ssl.trustStorePassword=changeit ---param valueOption 3
Setting below in environment variable
```
JAVA_OPTS -- param name
-Djavax.net.ssl.trustStore=C:\.keystore -Djavax.net.ssl.trustStorePassword=cha
Solution
You need to add the certificate for App2 to the truststore file of the used JVM located at
First you can check if your certificate is already in the truststore by running the following command:
If your certificate is missing, you can get it by downloading it with your browser and add it to the truststore with the following command:
Example:
After import you can run the first command again to check if your certificate was added.
Sun/Oracle information can be found here.
$JAVA_HOME\lib\security\cacerts.First you can check if your certificate is already in the truststore by running the following command:
keytool -list -keystore "$JAVA_HOME/jre/lib/security/cacerts" (you don't need to provide a password)If your certificate is missing, you can get it by downloading it with your browser and add it to the truststore with the following command:
keytool -import -noprompt -trustcacerts -alias -file -keystore -storepass Example:
keytool -import -noprompt -trustcacerts -alias myFancyAlias -file /path/to/my/cert/myCert.cer -keystore /path/to/my/jdk/jre/lib/security/cacerts/keystore.jks -storepass changeitAfter import you can run the first command again to check if your certificate was added.
Sun/Oracle information can be found here.
Code Snippets
keytool -import -noprompt -trustcacerts -alias <AliasName> -file <certificate> -keystore <KeystoreFile> -storepass <Password>keytool -import -noprompt -trustcacerts -alias myFancyAlias -file /path/to/my/cert/myCert.cer -keystore /path/to/my/jdk/jre/lib/security/cacerts/keystore.jks -storepass changeitContext
Stack Overflow Q#9619030, score: 568
Revisions (0)
No revisions yet.