Menu

Saturday, 16 March 2019

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

We are getting below exception “sun.security.provider.certpath.SunCertPathBuilderException” error on JBoss instance.

Error log:
*********************************************************************************
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1351)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:156)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:925)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:860)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1043)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:728)

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
*********************************************************************************

OBSERVATION:

While java makes a connection to another application services over HTTPS connections, to make this connection successful another party certificate should be imported to the installed JAVA keystore ( $JAVA_HOME/jre/lib/security/cacerts ) file which is known as truststore.

OR 

We can create a keystore and import the trusted certificates and provide its location to standalone.conf.bat or standalone .conf file.


SOLUTION:

Method 1: Import the signed or trust store certificate to JDK   $JAVA_HOME/jre/lib/security/cacerts ) file.

Command:
keytool   -import  -trustcacerts   -alias "alias_name"  -file   certificate.cer   -keystore cacerts

OR

keytool   -import    -alias  server      -file  server.cer    -keystore  cacerts




METHOD 2:  Create a new keystore and import certificates and provide the location to application server standalone.conf.bat  OR standalone.conf file.  and provide the password of keystore file.


Step 1: command to create new trsutstore (.jks) file.

Command :  
keytool   -import  -trustcacerts   -alias "alias_name"  -file   certificate.cer   -keystore truststorecert.jks

OR


keytool   -import    -alias  server      -file  server.cer    -keystore  truststorecert.jks


Step 2: Make configuration changes on JBoss (standalone.conf.bat).


set "JAVA_OPTS=%JAVA_OPTS%  -Djavax.net.ssl.trustStore=D:/path/truststorecert.jks                      -Djavax.net.ssl.trustStoreType=jks    -Djavax.net.ssl.trustStorePassword=123password"





Step 3: Restart the application server to reflect the changes.


Thanks :-)