SunCertPathBuilderException: unable to find valid certification path to requested target

Problem

Configured Tomcat to support SSL and deployed this web service on a development Tomcat server. While connect to the deployed web service over SSL connection via this URL : “https://localhost:8443/HelloWorld/hello?wsdl“, it hits


javax.net.ssl.SSLHandshakeException: 
   sun.security.validator.ValidatorException: PKIX path building failed: 
   sun.security.provider.certpath.SunCertPathBuilderException: 
   unable to find valid certification path to requested target
       
Caused by: sun.security.validator.ValidatorException: 
   PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
   unable to find valid certification path to requested target
       
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: 
   unable to find valid certification path to requested target

Solution

The caused of the problem and solution are both well explain in this article. Below is just the same solution, but demonstrate in my development environment :)

1. Get InstallCert.java

Get a InstallCert.java file from http://blogs.sun.com/andreas/resource/InstallCert.java

2. Add Trusted Keystore

Run InstallCert.java, with your hostname and https port, and press “1” when ask for input. It will add your “localhost” as a trusted keystore, and generate a file named “jssecacerts“.


C:\>java InstallCert localhost:8443
Loading KeyStore C:\Program Files\Java\jre6\lib\security\cacerts...
Opening connection to localhost:8443...
Starting SSL handshake...

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.
provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at InstallCert.main(InstallCert.java:87)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertP
athBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
        at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
        at sun.security.validator.Validator.validate(Unknown Source)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
        at InstallCert$SavingTrustManager.checkServerTrusted(InstallCert.java:182)
        ... 9 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to reques
ted target
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
        at java.security.cert.CertPathBuilder.build(Unknown Source)
        ... 15 more

Server sent 1 certificate(s):

 1 Subject CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my
   Issuer  CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my
   sha1    32 3e 15 42 96 ba e9 4d 9c 5d e7 5e 6b 0f 30 23 b4 e3 f4 98
   md5     c8 dd a1 af 9f 55 a0 7f 6e 98 10 de 8c 63 1b a5

Enter certificate to add to trusted keystore or 'q' to quit: [1]
1

[
[
  Version: V3
  Subject: CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 1024 bits
  modulus: 1129473579651954554552730664834664064459539051598864058082387115962631728819634110255367718769683451438528187
923246533854744470790959477657386037636238098777089479256059697784394926741427654735994678054030193662669088404706890444
59364523220747231216704221781747262219695262340353839314222273672957748320603247
  public exponent: 65537
  Validity: [From: Tue Dec 14 15:13:51 SGT 2010,
               To: Mon Mar 14 15:13:51 SGT 2011]
  Issuer: CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my
  SerialNumber: [    4d07192f]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 38 E4 F4 D9 51 B1 5F C1   01 13 32 79 DE 97 26 58  8...Q._...2y..&X
0010: 13 08 F1 A0 33 DB B9 90   AF EE 9E AE B9 9B 68 7D  ....3.........h.
0020: DF E8 7D 79 9D 92 24 4A   76 C9 4C 28 DA 68 B0 62  ...y..$Jv.L(.h.b
0030: FF AB 27 03 5C DD 1F C8   77 A2 25 18 DF 0C DC FD  ..'.\...w.%.....
0040: D3 39 5D 18 B4 BA 4B 36   8C FD C5 80 FF F2 E3 4D  .9]...K6.......M
0050: 0A 28 57 B9 04 D8 25 F6   FB CA DA 13 0C 36 FB 02  .(W...%......6..
0060: 9A B3 B1 28 46 D1 8E C7   D9 1A 5B CE BB A6 6F FD  ...(F.....[...o.
0070: 6D F2 35 D9 95 43 6E 38   2A 56 E7 31 21 D9 F0 90  m.5..Cn8*V.1!...

]

Added certificate to keystore 'jssecacerts' using alias 'localhost-1'

3. Verify Trusted Keystore

Try run the InstallCert command again, the connection should be ok now.


C:\>java InstallCert localhost:8443
Loading KeyStore jssecacerts...
Opening connection to localhost:8443...
Starting SSL handshake...

No errors, certificate is already trusted

Server sent 1 certificate(s):

 1 Subject CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my
   Issuer  CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my
   sha1    32 3e 15 42 96 ba e9 4d 9c 5d e7 5e 6b 0f 30 23 b4 e3 f4 98
   md5     c8 dd a1 af 9f 55 a0 7f 6e 98 10 de 8c 63 1b a5

Enter certificate to add to trusted keystore or 'q' to quit: [1]
q
KeyStore not changed

C:\>

4.Copy jssecacerts

Copy the generated “jssecacerts” file to your “$JAVA_HOME\jre\lib\security” folder.

5. Done

Run your web service client again, it should be working now.

About the Author

author image
mkyong
Founder of Mkyong.com, love Java and open source stuff. Follow him on Twitter, or befriend him on Facebook or Google Plus. If you like my tutorials, consider make a donation to these charities.

Comments

Leave a Reply

avatar
newest oldest most voted
Paolo
Guest
Paolo
vignesh kumar
Guest
vignesh kumar

G:>java InstallCert localhost:7070

Hi Guys am getting this error. please help me..

Loading KeyStore G:JDK7.0jrelibsecuritycacerts…

Opening connection to localhost:7070…

Starting SSL handshake…

javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?

at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java

)

at sun.security.ssl.InputRecord.read(InputRecord.java:504)

at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketI

java:1312)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:

)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:

)

at InstallCert.main(InstallCert.java:57)

Could not obtain server certificate chain

G:>

Mohamed
Guest
Mohamed

I have added the certificates to jssecacerts and checked the jssecacerts and my certificates are listed . but i still get the same error.

mani
Guest
mani

is there any way to generate the certificate

John
Guest
John
LĂșthien
Guest
LĂșthien

Brilliant! This issue fazed me for some time, but got it fixed via this article .. just update the link to the utility, it’s on Github now: https://github.com/escline/InstallCert/issues

Andre
Guest
Andre

This guy and his tutorials always make me smiles.

This tutorial works fine with me.
Thanks for sharing

Brant
Guest
Brant

Quick question — I run this and it generates a certificate but it’s an expired certificate with unknown values for the Issuer and Subject. Any ideas as to why this would be?

Anthony
Guest
Anthony

Hello, this work perfectly in netbeans, but it doesn’t work when I execute the command: java -jar … pls help me

Charles
Guest
Charles

https://github.com/escline/InstallCert

I have used this generator and works fine!

CodeJunkie
Guest
CodeJunkie

The above steps returns me error once I executed InsertCert as

Loading KeyStore /Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/jre/lib/security/cacerts...
Opening connection to localhost:8443...
Exception in thread "main" java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
at sun.security.ssl.SSLSocketImpl.<init>(SSLSocketImpl.java:427)
at sun.security.ssl.SSLSocketFactoryImpl.createSocket(SSLSocketFactoryImpl.java:88)
at programs.General.InstallCert.main(InstallCert.java:87)

Lekshmana M
Guest
Lekshmana M

After lot of struggling get this links and this methods works well.. thanks for sharing

lp
Guest
lp

May I know how long does this Cert can last for?

lp
Guest
lp

Nice tutorial! Found that the default valid period of the Cert is 1 year. How can I change the default period?

Eli Cloyd
Guest
Eli Cloyd

getting a 404 on all the links :(

Ram Wms
Guest
Ram Wms

Hi MK, Can u please update the link http://blogs.sun.com/andreas/resource/InstallCert.java .because it shows 404
Thank you

Kundan Dere
Guest
Kundan Dere

As sun;s link is down, one can find the InstallCert.java here
https://java-use-examples.googlecode.com/svn/trunk/src/com/aw/ad/util/InstallCert.java

Robik Shrestha
Guest
Robik Shrestha
Kundan Dere
Guest
Kundan Dere
Help
Guest
Help

I am running the webservice call in my workspace. It works the first time. Next day I come, somehow I have to do it again. Not sure why it not taking it permanent .???

Deepa Rao
Guest
Deepa Rao

This is awesome!!!!Thanks much. It works good now for me.

Alex
Guest
Alex
Guest
Alex

Unfortunely link to the article is broken. Without this link its hard to understand what was the cause and an approach of solution.

Selman
Guest
Selman

Thanks for help

tariq
Guest
tariq

hello everyone !
anyone who has been working on EJBCA Webservices ?
i am trying to call my webservice methods from a client machine and i am getting the below exceptions :
javax.xml.ws.WebServiceException: Failed to access the WSDL at:https://example.com:8442/ejbca/ejbcaws/ejbcaws?wsdl. It failed with:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
can anyone tell me a working solution for this : Your Effort would be appreciated greately .

Aatka Ali
Guest
Aatka Ali

I have the Issue while using the solution you have mention above

C:Users291767>java InstallCert localhost:8443
Loading KeyStore C:Program FilesJavajre7libsecuritycacerts…
Opening connection to localhost:8443…
Exception in thread “main” java.net.ConnectException: Connection refused: connec
t
at java.net.DualStackPlainSocketImpl.connect0(Native Method)
at java.net.DualStackPlainSocketImpl.socketConnect(Unknown Source)
at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source)
at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source)
at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at sun.security.ssl.SSLSocketImpl.connect(Unknown Source)
at sun.security.ssl.SSLSocketImpl.(Unknown Source)
at sun.security.ssl.SSLSocketFactoryImpl.createSocket(Unknown Source)
at InstallCert.main(InstallCert.java:94)
Am getting this above exception can u please give me a solution?

aelohin
Guest
aelohin

Thanks it works! Now I can continue doing JSON posts in SSL.

k
Guest
k

Thanks and very useful

Chintu
Guest
Chintu

Thank you very much . U saved my life :) . Works as a magic .

raaz
Guest
raaz

thankyou that works me

Tejaswi Rana
Guest
Tejaswi Rana

I owe you man.. I shouldn’t have overlooked your solution. None of the keytool -import solutions worked for me.

ei8
Guest
ei8

I’m not sure what InstallCert buys you. Is there a difference between using this and just using keytool? I normally:
1) keytool s_client -connect : -showcerts
2) copy the text from cert you want into a file
3) keytool -import -trustcacerts -file [-keystore mystore]
pretty simple.

webercoder
Guest
webercoder

Thanks for the tip! I assume that you meant openssl on (1):
openssl s_client -connect : -showcerts

hass
Guest
hass

while running the InstallCert.java

I am getting the following exception

C:>java InstallCert localhost:8080
Loading KeyStore C:Program FilesJavajre1.7.0libsecuritycacerts…
Opening connection to localhost:8080…
Starting SSL handshake…

Exception in thread “main” java.net.SocketException: Connection reset
at java.net.SocketInputStream.read
at com.sun.net.ssl.internal.ssl.InputRecord.readFully