Sometimes users deal with "sun.security.validator.ValidatorException: PKIX path building failed" with the exception and don't know how to solve the issue.
Problem: This error occurred usually when we try to consume secured services using java client. Below is the stack trace that we usually get
Cause:
Main reason for the issue is that SSL certificate has not been installed properly
Solution:
1) Download the InstallCert.java file from here
2) Compile the file using the command as below:
javac InstallCert.java
3) Add Trusted Keystore
Run InstallCert.java using java InstallCert.java, with the hostname and https port, and press “1” when asking for input. It will add the “localhost” as a trusted keystore, and generate a file named “jssecacerts“
3) Verify Trusted Keystore
Check if the certificate has been added successfully or not using the same command again
4) Copy jssecacerts: Copy the generated jssecacerts file at $JAVA_HOME/jre/lib/security folder
5) Invoke the service client and the problem went away.
Problem: This error occurred usually when we try to consume secured services using java client. Below is the stack trace that we usually get
sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
Cause:
Main reason for the issue is that SSL certificate has not been installed properly
Solution:
1) Download the InstallCert.java file from here
2) Compile the file using the command as below:
javac InstallCert.java
3) Add Trusted Keystore
Run InstallCert.java using java InstallCert.java, with the hostname and https port, and press “1” when asking for input. It will add the “localhost” as a trusted keystore, and generate a file named “jssecacerts“
C:\Ankur>java InstallCert localhost:443
Loading KeyStore C:\Program Files (x86)\Java\jre1.8.0_91\lib\security\cacerts...
Opening connection to localhost:443...
Starting SSL handshake...
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at InstallCert.main(InstallCert.java:59)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
at InstallCert$SavingTrustManager.checkServerTrusted(InstallCert.java:161)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unknown Source)
... 9 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 17 more
Server sent 1 certificate(s):
1 Subject CN=Ankur-Jain
Issuer CN=Ankur-Jain
sha1 d3 b9 1c 0d 37 15 43 eb 42 08 6e 28 f9 b9 14 51 b4 5d 80 fb
md5 d0 0e b8 cf 3e af ee a7 75 96 7b 65 d0 a8 83 1f
Enter certificate to add to trusted keystore or 'q' to quit: [1]
1
[
[
Version: V3
Subject: CN=Ankur-Jain
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 29097399406335862648603478718093032258106380849402774151925502342615178908568117666690377193826203615479790565960821376205940928458371313760609133959349461286885160113266037440511976960329613437120185785368606059740742844262213088886805653789914216591685771502790972206462685411556415317772895044855789311041156987953579907954163194290953047131042696647502021116508936286048203642300999439036533705336558235724297279695584190506372666605140794146250538573493778513998757194609517715519451722657765734837367627217395785262158854804147187586905921058319581450357763769002145000821758050508892633704219266564731848702777
public exponent: 65537
Validity: [From: Mon Jun 12 17:27:51 IST 2017,
To: Thu Jun 10 17:27:51 IST 2027]
Issuer: CN=Ankur-Jain
SerialNumber: [ ef54124a a7408795]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]
[2]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
Key_Encipherment
Data_Encipherment
]
[3]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: Ankur-Jain
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: A2 AD A1 B5 3C 3A 9D A4 DD 35 CC 7B 79 91 D2 FC ....<:...5..y...
0010: 91 53 8A 43 4B 55 4C DF D6 CB 5C 82 8F 1E 44 C5 .S.CKUL...\...D.
0020: D6 64 40 1B 7D FD 75 E7 D6 22 98 24 52 56 83 7C .d@...u..".$RV..
0030: B8 89 F5 A6 DD 5F 5F A8 19 51 59 9D 6A DD 0E 69 .....__..QY.j..i
0040: 59 68 AD E8 2B EB 73 D3 F8 16 15 2F 1D FF 84 77 Yh..+.s..../...w
0050: 62 2F 05 24 78 EE 5E F9 13 81 AF 79 45 B0 D7 34 b/.$x.^....yE..4
0060: 19 54 52 15 39 0C 4B D5 6C E2 9E 78 38 7A 4C 7E .TR.9.K.l..x8zL.
0070: 57 16 E3 AB F9 DC 56 07 13 D5 6B 2C E1 6D E5 1C W.....V...k,.m..
0080: 3C DC 05 94 18 BE 99 7D 0B C6 51 C6 E2 8F DD 7A <.........Q....z
0090: 32 6A C3 5B 49 12 F5 AD 8B 15 C7 D0 B7 F7 DC 7F 2j.[I...........
00A0: C0 9C 6E 9F 35 0D 33 92 53 84 C1 79 2F A8 F5 C5 ..n.5.3.S..y/...
00B0: F9 F5 F1 4F 7A F7 22 54 43 88 DF 83 D5 6B CD E7 ...Oz."TC....k..
00C0: 4C D2 49 66 D0 F5 57 40 0E DD 87 B4 8E CB 6B BD L.If..W@......k.
00D0: C4 1F 99 E8 5B 92 5B 10 FB C6 DD EA 70 F7 B2 ED ....[.[.....p...
00E0: 5E CF 02 44 5B 40 28 0B 97 72 01 EA 59 F1 F7 38 ^..D[@(..r..Y..8
00F0: 71 1C BD 48 32 93 7E 91 1F 8B 29 85 E2 A3 8B 8E q..H2.....).....
]
Added certificate to keystore 'jssecacerts' using alias 'localhost-1'
3) Verify Trusted Keystore
Check if the certificate has been added successfully or not using the same command again
C:\Ankur>java InstallCert localhost:443
Loading KeyStore jssecacerts...
Opening connection to localhost:443...
Starting SSL handshake...
No errors, certificate is already trusted
Server sent 1 certificate(s):
1 Subject CN=Ankur-Jain
Issuer CN=Ankur-Jain
sha1 d3 b9 1c 0d 37 15 43 eb 42 08 6e 28 f9 b9 14 51 b4 5d 80 fb
md5 d0 0e b8 cf 3e af ee a7 75 96 7b 65 d0 a8 83 1f
Enter certificate to add to trusted keystore or 'q' to quit: [1]
q
KeyStore not changed
4) Copy jssecacerts: Copy the generated jssecacerts file at $JAVA_HOME/jre/lib/security folder
5) Invoke the service client and the problem went away.
Tidak ada komentar:
Posting Komentar