This question already has answers here:
Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
(33 answers)
Closed 8 months ago.
I am making Webservice call thru TLS connection(https) in Tomcat 7.x
While calling the WebService, I am getting following Error. What would be the issue? I have tried creating Certificates and CA.
FYI - https://sites.google.com/site/ddmwsst/create-your-own-certificate-and-ca
I imported CA certificate and other certificates and still I am getting this issue. Please advice.
Caused by: javax.wsdl.WSDLException: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://localhost:8443/myDomain/MyService?wsdl'.: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:92)
... 37 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1902)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1032)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1328)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1299)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(XMLEntityManager.java:632)
at com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(XMLVersionDetector.java:189)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:799)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:764)
at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:123)
at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:237)
at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:300)
... 43 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
... 61 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
I am testing Certificates by creating locally. So I followed these steps.
Keys>keytool -genkey -alias TLS -keystore TLSKeyStore.jks -keyalg RSA -sigalg SHA1withRSA
Keys>keytool -export -alias TLS -file TLS.cer -keystore TLSKeyStore.jks
Keys>keytool -certreq -alias TLS -keystore TLSKeyStore.jks -file TLS.csr
CA>set RANDFILE=rand
CA>openssl req -new -keyout TLSkey.pem -out TLSreq.pem -config C:\OpenSSL-Win64\bin\openssl.cfg
CA>openssl x509 -signkey TLSkey.pem -req -days 3650 -in TLSreq.pem -out TLSroot.cer -extensions v3_ca
CA>openssl x509 -CA TLSroot.cer -CAkey TLSkey.pem -CAserial serial.txt -req -in ../Keys/TLS.csr -out ../Keys/TLSTestCA.cer -days 365
Keys>keytool -import -alias TLSCA -file ../CA/TLSroot.cer -keystore TLSKeyStore.jks
Keys>keytool -import -alias TLS -file TLSTestCA.cer -keystore TLSKeyStore.jks
Here's an overall summary of how to import certificates to fix the following error:
Error while trying to execute request.
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
How to import certificates
Go to URL in your browser, click on HTTPS certificate chain (little lock symbol next to URL address) to export the certificate
Click "more info" > "security" > "show certificate" > "details" > "export..".
Save as .der
Repeat for any certificates you need to import
Locate $JAVA_HOME/jre/lib/security/cacerts
Import all *.der files into the cacerts file using the following:
sudo keytool -import -alias mysitestaging -keystore $JAVA_HOME/jre/lib/security/cacerts -file staging.der
sudo keytool -import -alias mysiteprod -keystore $JAVA_HOME/jre/lib/security/cacerts -file prod.der
sudo keytool -import -alias mysitedev -keystore $JAVA_HOME/jre/lib/security/cacerts -file dev.der
The default keystore password is 'changeit'
You can view the change that you made with this command that shows the Certificate fingerprint.
keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts
If this doesn't solve the problem, try adding these java options as arguments:
-Djavax.net.ssl.trustStore="$JAVA_HOME/jre/lib/security/cacerts"
-Djavax.net.ssl.trustStorePassword="changeit"
My guess is that you might have missed a step. I was having the same error until I realized I imported the wrong certificate
Finally I got the way to solve this issue.
Refer this InstallCert.java in this link. Run this program as Standalone by passing arguments as localhost:9443 and Program creates jssecacerts file under eclipse.
Copy this jssecacerts file into your JDK_HOME\jre\lib\security\ folder. That should solve the issue
Happy TLS setup!!!
Related
I am using below lines of code to verify broken links
huc = (HttpURLConnection) (new URL(url).openConnection());
huc.setRequestMethod("HEAD");
huc.setReadTimeout(5000);
huc.connect();
respCode = huc.getResponseCode();
when script enters huc.connect() line , it throws below exception.
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
How can I solve it? I need to run this script locally and also in github actions pipeline.
You get this error when your Website certificate is not added to Trusted store. Please follow below step to add certificate to trusted store.
Open the website and Download the certificate by clicking on the lock icon->Connection is secure->Certification-> click on the root->Certification path->Copy to file-> and store in your local system with an alias name.
Now you need to add certificate to $JAVA_HOME\lib\security\cacerts using below command
keytool -import -noprompt -trustcacerts -alias <AliasName> -file <certificate> -keystore <KeystoreFile> -storepass <Password>
eg:
keytool -import -noprompt -trustcacerts -alias myaddedcertaliasname
-file /localsystempath/to/my/cert/myCert.cer -keystore /path/to/my/jdk/jre/lib/security/cacerts/keystore.jks -storepass
changeit
Please note the default password for key store is changeit.
Once you import the certificate to your key store you should no more get this error
I have setup solr on local system. It works fine without ssl however for SSL solr gives exception:
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.eclipse.jetty.start.Main.invokeMain(Main.java:214)
at org.eclipse.jetty.start.Main.start(Main.java:457)
at org.eclipse.jetty.start.Main.main(Main.java:75)
Caused by: java.io.IOException: Invalid keystore format
I have generated p12 and jks using commands:
“C:\Program Files\Java\jdk-10.0.1\bin\keytool.exe” -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 9999 -keystore solr-ssl.keystore.jks -ext SAN=DNS:localhost,IP:127.0.0.1 -dname “CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country”
and
“C:\Program Files\Java\jdk-10.0.1\bin\keytool.exe” -importkeystore -srckeystore solr-ssl.keystore.jks -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype pkcs12
Kept secret as password for all phrases. Copied the jks and p12 file to solr-6.6.2/server/etc folder. Updated the solr.in.cmd file and uncommented these lines:
SET SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
SET SOLR_SSL_KEY_STORE_PASSWORD=secret
SET SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
SET SOLR_SSL_TRUST_STORE_PASSWORD=secret
SET SOLR_SSL_NEED_CLIENT_AUTH=false
SET SOLR_SSL_WANT_CLIENT_AUTH=false
SET SOLR_SSL_KEY_STORE_TYPE=JKS
SET SOLR_SSL_TRUST_STORE_TYPE=JKS
When I try to run with: solr -p 8984 it gives the above said exception.
Can you please help me out with the setup. Been googling but can't seem to find the resolution.
Ok I have resolved the issue. Seems like my java version was
"1.8.0 ea"
. When I uninstalled and reinstalled the new version
"1.8.0_171"
, solr started in https.
I also tried java version 10 and it had the same issue with solr 6.6.2
Although my site's certificate is fine, ("openssl verify mysite.com.cer" resulted in OK), and my site is ssl-certified including green lock in the url-bar, my site is generating a fatal alert: bad_certificate whenever a subscriber in my WSO2 app executes an api.
[2018-06-08 10:54:47,167] ERROR - SourceHandler I/O error: Received fatal alert: bad_certificate
javax.net.ssl.SSLException: Received fatal alert: bad_certificate
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:245)
at org.apache.http.nio.reactor.ssl.SSLIOSession.decryptData(SSLIOSession.java:378)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:413)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:119)
at org.apache.http.impl.nio.reactor.BaseIOReactor.validate(BaseIOReactor.java:218)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:281)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:105)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:586)
at java.lang.Thread.run(Thread.java:748)
I browsed through several stackoverflow-questions about 'bad_certificate' but found no solution.
To import my certificate I followed WSO2's docs:
openssl pkcs12 -export -in SSL_certificate_www_mysite_com.crt -inkey www.mysite.com.key -name "mykeys" -certfile mysite.com.cer -out mykeys.pfx
keytool -importkeystore -srckeystore mykeys.pfx -srcstoretype pkcs12 -destkeystore mykeys.jks -deststoretype JKS
keytool -export -alias "mykeys" -keystore mykeys.jks -file mykeys.pem
copied mykeys.pem and mykeys.jks to /usr/local/opt/wso2am-2.2.0/repository/resources/security/
keytool -import -alias "mykeys" -file mykeys.pem -keystore client-truststore.jks -storepass wso2carbon and answered yes to include the certificate
Then I had to change several configuration files to use mykeys instead of wso2carbon. So I did.
Then I restarted wso2-carbon, logged in and checked that mykeys.JKS showed up in the list of keystores, it does.
My site is correctly ssl-certified, green lock showing in the url-bar. All works fine, upto the point that logged in as Subscriber I try to Execute an API, which results in the response "ERROR - SourceHandler I/O error: Received fatal alert: bad_certificate" and the above-mentioned log coming from sourcehandler
This error is logged in repository/logs/wso2-apigw-errors.log and wso2carbon.log, but only this message, nothing else.
Where to look next to find why my certificate is not getting validated correctly?
the problem is in the self-signed certificate
assume your service published at this endpoint:
https://192.168.99.3:8243/first/1.0.0
then you have to go into a new browser window
https://192.168.99.3:8243/
set browser to always accept the https certificate
after this the call in api console should work
If you have separate Store and gateway instances, open the gateway:9443/carbon in browser and accept the self signed certificate. That should work.
org.apache.axis2.AxisFault: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: basic constraints check failed: this is not a CA certificate
Are you trying to use your webapp as a client to a service based on https? If so you´re webapp should be able to trust that service. If the service is created with a self-signed certificate you need to add that cert´s CA root certificate to your cacerts as trusted. That can be done with a keytool which comes with the jre/jdk.
keytool.exe -import -alias AliasForYourTrustedCert -file File.cer -trustcacerts -keystore %JAVA_HOME%\lib\security\cacerts
I would really appreciate if someone could shed some light on the following issue. I have read the keytool documentation but could not find any hint regarding what could be the problem here.
I created a keystore
keytool -genkey -alias privateKeyName -keyalg RSA -keystore privateKeyName.jks -validity 720 -keysize 1024
I created a certificate request
keytool -certreq -alias privateKeyName -keystore privateKeyName.jks -file certReqFileName.csr
After the signing authority gave me the .cer file, I tried to import it with
keytool –import -alias privateKeyName -file certReqFileName_t_f.cer -keystore privateKeyName.jks
Import fails with
keytool error: java.lang.Exception: Failed to establish chain from reply
I have been stuck on this for some time now so any help would be awesome.
Thanks.
Take a look at the option -trustcacerts, if your CA is listed in the truststore. Additionally you may have to add the CA's intermediate certificates to your keystore, first.