Monday, 6 November 2017

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed

Sometimes users deal with "sun.security.validator.ValidatorException: PKIX path building failed" with the exception and don't know how to solve the issue.

Problem: This error occurred usually when we try to consume secured services using java client. Below is the stack trace that we usually get

 sun.security.validator.ValidatorException:
 PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
 unable to find valid certification path to requested target

 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path   building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid   certification path to requested target
                sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
                sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
                sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
                sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
                sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
                sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
                sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
                sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
                sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
                sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
                sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)



Cause:

Main reason for the issue is that SSL certificate has not been installed properly

Solution:

1) Download the InstallCert.java file from here

2) Compile the file using the command as below:
     
              javac InstallCert.java

3) Add Trusted Keystore

Run InstallCert.java using java InstallCert.java, with the hostname and https port, and press “1” when asking for input. It will add the “localhost” as a trusted keystore, and generate a file named “jssecacerts

C:\Ankur>java InstallCert localhost:443
Loading KeyStore C:\Program Files (x86)\Java\jre1.8.0_91\lib\security\cacerts...
Opening connection to localhost:443...
Starting SSL handshake...

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
        at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
        at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
        at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
        at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
        at sun.security.ssl.Handshaker.processLoop(Unknown Source)
        at sun.security.ssl.Handshaker.process_record(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at InstallCert.main(InstallCert.java:59)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
        at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
        at sun.security.validator.Validator.validate(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
        at InstallCert$SavingTrustManager.checkServerTrusted(InstallCert.java:161)
        at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unknown Source)
        ... 9 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
        at java.security.cert.CertPathBuilder.build(Unknown Source)
        ... 17 more

Server sent 1 certificate(s):

 1 Subject CN=Ankur-Jain
   Issuer  CN=Ankur-Jain
   sha1    d3 b9 1c 0d 37 15 43 eb 42 08 6e 28 f9 b9 14 51 b4 5d 80 fb
   md5     d0 0e b8 cf 3e af ee a7 75 96 7b 65 d0 a8 83 1f

Enter certificate to add to trusted keystore or 'q' to quit: [1]
1

[
[
  Version: V3
  Subject: CN=Ankur-Jain
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 29097399406335862648603478718093032258106380849402774151925502342615178908568117666690377193826203615479790565960821376205940928458371313760609133959349461286885160113266037440511976960329613437120185785368606059740742844262213088886805653789914216591685771502790972206462685411556415317772895044855789311041156987953579907954163194290953047131042696647502021116508936286048203642300999439036533705336558235724297279695584190506372666605140794146250538573493778513998757194609517715519451722657765734837367627217395785262158854804147187586905921058319581450357763769002145000821758050508892633704219266564731848702777
  public exponent: 65537
  Validity: [From: Mon Jun 12 17:27:51 IST 2017,
               To: Thu Jun 10 17:27:51 IST 2027]
  Issuer: CN=Ankur-Jain
  SerialNumber: [    ef54124a a7408795]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
]

[2]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_Encipherment
  Data_Encipherment
]

[3]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: Ankur-Jain
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: A2 AD A1 B5 3C 3A 9D A4   DD 35 CC 7B 79 91 D2 FC  ....<:...5..y...
0010: 91 53 8A 43 4B 55 4C DF   D6 CB 5C 82 8F 1E 44 C5  .S.CKUL...\...D.
0020: D6 64 40 1B 7D FD 75 E7   D6 22 98 24 52 56 83 7C  .d@...u..".$RV..
0030: B8 89 F5 A6 DD 5F 5F A8   19 51 59 9D 6A DD 0E 69  .....__..QY.j..i
0040: 59 68 AD E8 2B EB 73 D3   F8 16 15 2F 1D FF 84 77  Yh..+.s..../...w
0050: 62 2F 05 24 78 EE 5E F9   13 81 AF 79 45 B0 D7 34  b/.$x.^....yE..4
0060: 19 54 52 15 39 0C 4B D5   6C E2 9E 78 38 7A 4C 7E  .TR.9.K.l..x8zL.
0070: 57 16 E3 AB F9 DC 56 07   13 D5 6B 2C E1 6D E5 1C  W.....V...k,.m..
0080: 3C DC 05 94 18 BE 99 7D   0B C6 51 C6 E2 8F DD 7A  <.........Q....z
0090: 32 6A C3 5B 49 12 F5 AD   8B 15 C7 D0 B7 F7 DC 7F  2j.[I...........
00A0: C0 9C 6E 9F 35 0D 33 92   53 84 C1 79 2F A8 F5 C5  ..n.5.3.S..y/...
00B0: F9 F5 F1 4F 7A F7 22 54   43 88 DF 83 D5 6B CD E7  ...Oz."TC....k..
00C0: 4C D2 49 66 D0 F5 57 40   0E DD 87 B4 8E CB 6B BD  L.If..W@......k.
00D0: C4 1F 99 E8 5B 92 5B 10   FB C6 DD EA 70 F7 B2 ED  ....[.[.....p...
00E0: 5E CF 02 44 5B 40 28 0B   97 72 01 EA 59 F1 F7 38  ^..D[@(..r..Y..8
00F0: 71 1C BD 48 32 93 7E 91   1F 8B 29 85 E2 A3 8B 8E  q..H2.....).....

]
Added certificate to keystore 'jssecacerts' using alias 'localhost-1' 


3) Verify Trusted Keystore

Check if the certificate has been added successfully or not using the same command again

C:\Ankur>java InstallCert localhost:443
Loading KeyStore jssecacerts...
Opening connection to localhost:443...
Starting SSL handshake...

No errors, certificate is already trusted

Server sent 1 certificate(s):

 1 Subject CN=Ankur-Jain
   Issuer  CN=Ankur-Jain
   sha1    d3 b9 1c 0d 37 15 43 eb 42 08 6e 28 f9 b9 14 51 b4 5d 80 fb
   md5     d0 0e b8 cf 3e af ee a7 75 96 7b 65 d0 a8 83 1f

Enter certificate to add to trusted keystore or 'q' to quit: [1]
q
KeyStore not changed


4) Copy jssecacerts: Copy the generated jssecacerts file at $JAVA_HOME/jre/lib/security folder

5) Invoke the service client and the problem went away.


No comments:

Post a Comment