SunCertPathBuilderException: unable to find valid certification path to requested target
Posted on , Last modified : August 29, 2012
By mkyong
Problem
Configured Tomcat to support SSL and deployed this web service on a development Tomcat server. While connect to the deployed web service over SSL connection via this URL : “https://localhost:8443/HelloWorld/hello?wsdl“, it hits
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Solution
The caused of the problem and solution are both well explain in this article. Below is just the same solution, but demonstrate in my development environment :)
1. Get InstallCert.java
Get a InstallCert.java file from http://blogs.sun.com/andreas/resource/InstallCert.java
2. Add Trusted Keystore
Run InstallCert.java, with your hostname and https port, and press “1” when ask for input. It will add your “localhost” as a trusted keystore, and generate a file named “jssecacerts“.
C:\>java InstallCert localhost:8443 Loading KeyStore C:\Program Files\Java\jre6\lib\security\cacerts... Opening connection to localhost:8443... Starting SSL handshake... javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security. provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at InstallCert.main(InstallCert.java:87) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertP athBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(Unknown Source) at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) at sun.security.validator.Validator.validate(Unknown Source) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) at InstallCert$SavingTrustManager.checkServerTrusted(InstallCert.java:182) ... 9 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to reques ted target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) at java.security.cert.CertPathBuilder.build(Unknown Source) ... 15 more Server sent 1 certificate(s): 1 Subject CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my Issuer CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my sha1 32 3e 15 42 96 ba e9 4d 9c 5d e7 5e 6b 0f 30 23 b4 e3 f4 98 md5 c8 dd a1 af 9f 55 a0 7f 6e 98 10 de 8c 63 1b a5 Enter certificate to add to trusted keystore or 'q' to quit: [1] 1 [ [ Version: V3 Subject: CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 1129473579651954554552730664834664064459539051598864058082387115962631728819634110255367718769683451438528187 923246533854744470790959477657386037636238098777089479256059697784394926741427654735994678054030193662669088404706890444 59364523220747231216704221781747262219695262340353839314222273672957748320603247 public exponent: 65537 Validity: [From: Tue Dec 14 15:13:51 SGT 2010, To: Mon Mar 14 15:13:51 SGT 2011] Issuer: CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my SerialNumber: [ 4d07192f] ] Algorithm: [SHA1withRSA] Signature: 0000: 38 E4 F4 D9 51 B1 5F C1 01 13 32 79 DE 97 26 58 8...Q._...2y..&X 0010: 13 08 F1 A0 33 DB B9 90 AF EE 9E AE B9 9B 68 7D ....3.........h. 0020: DF E8 7D 79 9D 92 24 4A 76 C9 4C 28 DA 68 B0 62 ...y..$Jv.L(.h.b 0030: FF AB 27 03 5C DD 1F C8 77 A2 25 18 DF 0C DC FD ..'.\...w.%..... 0040: D3 39 5D 18 B4 BA 4B 36 8C FD C5 80 FF F2 E3 4D .9]...K6.......M 0050: 0A 28 57 B9 04 D8 25 F6 FB CA DA 13 0C 36 FB 02 .(W...%......6.. 0060: 9A B3 B1 28 46 D1 8E C7 D9 1A 5B CE BB A6 6F FD ...(F.....[...o. 0070: 6D F2 35 D9 95 43 6E 38 2A 56 E7 31 21 D9 F0 90 m.5..Cn8*V.1!... ] Added certificate to keystore 'jssecacerts' using alias 'localhost-1'
3. Verify Trusted Keystore
Try run the InstallCert command again, the connection should be ok now.
C:\>java InstallCert localhost:8443 Loading KeyStore jssecacerts... Opening connection to localhost:8443... Starting SSL handshake... No errors, certificate is already trusted Server sent 1 certificate(s): 1 Subject CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my Issuer CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my sha1 32 3e 15 42 96 ba e9 4d 9c 5d e7 5e 6b 0f 30 23 b4 e3 f4 98 md5 c8 dd a1 af 9f 55 a0 7f 6e 98 10 de 8c 63 1b a5 Enter certificate to add to trusted keystore or 'q' to quit: [1] q KeyStore not changed C:\>
4.Copy jssecacerts
Copy the generated “jssecacerts” file to your “$JAVA_HOME\jre\lib\security” folder.
5. Done
Run your web service client again, it should be working now.
Tags : jax-ws web services
Here are some of my recommended Books
Thanks a lot it is working like a gem:)
I have created a trustServerCertificate() which basically trust the certificate of the requested server at runtime.
For that i do the following step
1)Create a keystore and import the certificate into this keystore file
2)put it into my project class path
3)Write a method trustServerCertificate() which trust the keystore file
static Properties properties = new Properties();
void trustServerCertificate(){
try {
properties.load(ThisClass.class.getClassLoader().getResourceAsStream(“keystore.properties”));
System.out.println(“Properties loaded successfully”);
} catch (IOException e) {
properties = null;
System.out.println(“Properties not loaded: ” + e.getMessage());
e.printStackTrace();
}
String keyStore = Util.class.getClassLoader().getResource(ThisClass.getProperties(“KeyStoreLocation”)).getFile();
System.out.println(“KS path :” + keyStore);
System.setProperty(“javax.net.ssl.trustStore”, keyStore);
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
}
public static String getProperties(String key) {
return properties.getProperty(key);
}
I am getting the same only when i trying to access the method for trust the certificate of the requested server from another method or constructor or init,but not from main method.
Please help
Getting below mention error
main, WRITE: TLSv1 Handshake, length = 32
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: warning, close_notify
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
main, WRITE: TLSv1 Alert, length = 18
javax.net.ssl.SSLException: Received close_notify during handshake
C:\cert>java InstallCert localhost:8080
Loading KeyStore C:\Program Files\Java\jre7\lib\security\cacerts…
Opening connection to localhost:8080…
Starting SSL handshake…
Exception in thread “main” java.net.SocketTimeoutException: Read timed out
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(Unknown Source)
at java.net.SocketInputStream.read(Unknown Source)
at sun.security.ssl.InputRecord.readFully(Unknown Source)
at sun.security.ssl.InputRecord.read(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source
)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at InstallCert.main(InstallCert.java:87)
I have got the above exception can any one help?
port 8080 is down that’s why it is given exception.
server must running on port 8080.
Hi Yong,
I followed your steps as mentioned in the above.
Now i am able to create the certificate. I did Copy the generated “jssecacerts” file to your “$JAVA_HOME\jre\lib\security” folder.
Still i am getting same error:
D:\MyStuff\TestCIMSweb>wsimport -p com.merge.cims.plugin -s src -d bin https://192.168.5.22/bah1100203_test/cimsservices/viewjob.svc?wsdl
error: failed to parse document at “https://192.168.5.22/bah1100203_test/cimsservices/viewjob.svc?wsdl”: javax.net.ssl.SSLHandshakeExcept
ion: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unabl
e to find valid certification path to requested target
can you any suggestions if i miss any thing.
Thank You
C:\Users\291767>java InstallCert localhost:8443
Loading KeyStore C:\Program Files\Java\jre7\lib\security\cacerts…
Opening connection to localhost:8443…
Exception in thread “main” java.net.ConnectException: Connection refused: connec
t
at java.net.DualStackPlainSocketImpl.connect0(Native Method)
at java.net.DualStackPlainSocketImpl.socketConnect(Unknown Source)
at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source)
at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source)
at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at sun.security.ssl.SSLSocketImpl.connect(Unknown Source)
at sun.security.ssl.SSLSocketImpl.(Unknown Source)
at sun.security.ssl.SSLSocketFactoryImpl.createSocket(Unknown Source)
at InstallCert.main(InstallCert.java:94)
Am getting this above exception can u please give me a solution?
While running with the following command
C:\>java InstallCert localhost:8443
I am getting the following exception
C:\>java InstallCert localhost:8080
Loading KeyStore C:\Program Files\Java\jre1.7.0\lib\security\cacerts…
Opening connection to localhost:8080…
Starting SSL handshake…
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at sun.security.ssl.InputRecord.handleUnknownRecord(Unknown Source)
at sun.security.ssl.InputRecord.read(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at InstallCert.main(InstallCert.java:87)
Could not obtain server certificate chain
Please attach the solution for this exception?
Please update the links, these display 404 not found messages
While running with the following command
I am getting the following exception
You can find the file here :
http://code.google.com/p/java-use-examples/source/browse/trunk/src/com/aw/ad/util/InstallCert.java
Thanks for this, it was really useful to me :)
The web links are not working.
Thanks a lot. As always, you’ve been a great help.
Hi, Yong:
thanks for this post. but I still get problem even though I totally follow your post to import a secured wsdl file. Here is our wsdl https://dev-tam.exim.gov:444/apps/bap/services/DocumentManagement/wsdl/DocumentManagement.wsdl. All the steps following your post went through well, however, to the last when I try to import the wsdl, I got error as follows:
C:\Documents and Settings\Zhangx\Desktop>wsimport https://dev-tam.exim.gov:444/a
pps/bap/services/DocumentManagement/wsdl/DocumentManagement.wsdl
parsing WSDL…
[ERROR] java.security.cert.CertificateException: No name matching dev-tam.exim.g
ov found
Failed to read the WSDL document: https://dev-tam.exim.gov:444/apps/bap/services
I hope you could help me to figure out this problem
Thank you very much in advance
Hi Yong,
Nice Tutorial.But I am still getting the same problem. My client is able to connect to server without any error/exception. In My application we are generating a pdf from a Html file. Now, when this pdf is generated error is coming at that point.
No certificate error is coming on Web Browser.
Please provide your valuable suggestions.
Thanks.
When connecting to our client production server from our production server over https, we are getting exception as java.net.SocketException: java.lang.ClassNotFoundException: org.ab
logic.search.AllTrustSSLSocketFactory
Please help on this.
Hello,
Is the “Java InstallCert” command need to run on the webserver where the JSP page is running OR on the user machine where the user is accessing the JSP page.
Thank you.
Satya
Nice tutorial Yong!
The website “http://blogs.sun.com/andreas/resource/InstallCert.java” doesn’t work anymore, though. Try this one instead: http://code.google.com/p/java-use-examples/source/browse/#svn%2Ftrunk%2Fsrc%2Fcom%2Faw%2Fad%2Futil%253Fstate%253Dclosed
My bad….
http://code.google.com/p/java-use-examples/source/browse/trunk/src/com/aw/ad/util/InstallCert.java
I want java program connect to VMware Ubuntu PostgreSQL database using JDBC with SSL.
String url = “jdbc:postgresql://192.168.235.128:5432/lincdoc”;
Properties props = new Properties();
props.setProperty(“user”,”demo.data”);
props.setProperty(“password”,”aCTqjR3H”);
props.setProperty(“ssl”,”true”);
connection = DriverManager.getConnection(url, props);
But hit error :
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
So i follow this post to solve the problem
http://www.mkyong.com/webservices/jax-ws/suncertpathbuilderexception-unable-to-find-valid-certification-path-to-requested-target/comment-page-1/#comment-72715
But hit another error :
D:\Project\InstallCert\src>java com.aw.ad.util.InstallCert 192.168.235.128:8443
Loading KeyStore C:\Program Files\Java\jre6\lib\security\cacerts…
Opening connection to 192.168.235.128:8443…
Exception in thread “main” java.net.ConnectException: Connection refused: connec
t
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(Unknown Source)
at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.connect(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl.createSocket(Unknow
n Source)
at com.aw.ad.util.InstallCert.main(InstallCert.java:94)
NOTE : 192.168.235.128 is VMware IP address. Should i run the InstallCert.java inside VMware – Ubuntu instead of Windows Command Prompt ?
I copy the InstalCert.java from here :
http://code.google.com/p/java-use-examples/source/browse/trunk/src/com/aw/ad/util/InstallCert.java
Appreciate for any help !
I try
java com.aw.ad.util.InstallCert localhost:8443
also same error
hello ,
the server must be running in this port when you call InstallCert,
you can start tomcat at the port 8443 , after that call the class
Hi,
I wan to run this in Linux server and after the certificates are generated I stored in security folder of JRE. But when I execute command “wget https://10.63.25.44:443/ProvisioningGateway/services/SPMLHlrSubscriber453Service?wsdl” I get below error:
Connecting to 10.63.25.44:443… connected.
ERROR: cannot verify 10.63.25.44âs certificate, issued by â/C=DE/ST=none/L=Munich/O=Siemens A.G./OU=COM/CN=srnpgw3â
Self-signed certificate encountered.
ERROR: certificate common name âsrnpgw3â10.63.25.44â
To connect to 10.63.25.44 insecurely, use â–no-check-certificateâ.
Could any one of you explain how to solve this problem?
Great ! Smart How To.