I am trying to download a CSV file through Spring Boot App listed here
https://github.com/koushikkothagal/coronavirus-tracker/
"https://raw.githubusercontent.com/CSSEGISandData/COVID-19/master/csse_covid_19_data/csse_covid_19_time_series/time_series_19-covid-Confirmed.csv";
Getting exception as listed below.
If I change to http - no errors but also file not found.
Please guide.
Result of executing java SSLPoke raw.githubusercontent.com 443
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:384)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:289)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1308)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1199)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1146)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:177)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1180)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1091)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:721)
at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:998)
at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:970)
at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:379)
... 20 more
Solved it! Here are the Steps...
Download & Compile InstallCert.java
Location
https://github.com/escline/InstallCert
Then, run
java InstallCert <host_url>:443
Accept all certificates.
Once done - a new jssecacerts file would be generated
Copy the newly generated jssecacerts file to your $JAVA_HOME\jre\lib\security folder.
That's it.
You need to manually import target site SSL certificate to your trust store. The certificate can be added to Java central trust store or your custom trust store and provide the trust store in jvm argument.
Related
I am facing an issue where a TLS certificate (wildcard cert) is not resolved to a valid root cert in Java. Browsers (Firefox, Chrome) resolve it to be valid but not Java driven programs. We use a wildcart cert in our case.
certpath: Constraints: ...
...
...
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:349)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:287)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1426)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1336)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:450)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:421)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:374)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at org.llorllale.youtrack.api.DefaultProjects.get(DefaultProjects.java:80)
at com.company.youtrack.Main.main(Main.java:121)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
... 25 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
... 31 more
EDIT
I am running a YouTrack server inside our company network, not accessible from the internet. I configured the immediate certificate chain including the root certificate. But sadly the root certificate itself is not returned (tested it with openssl s_client).
I also like to mention that the server certificate is a wildcard certificate. I do not really know if that could lead to problems during verification...
EDIT
I know it is not best practice to return the self-signed root. Although I found comments throughout my research by people that state that sometimes it is necessary. I don't really know why it is necesssary to be sure... I analyzed code in PKIXValidator and it seemed to me that the validator is resolving the chain until it receives a cert whereby the issuer is equal to the subject. My problem is (as I analyzed with openssl s_client) that the server only returns the server cert and the 1st intermediate cert. But there's a 2nd intermediate cert and a root in addition. I filed a bug at youtrack. See https://youtrack.jetbrains.com/issue/JT-66316. There are comments which I did not made publicly available because of internals. When I resolved the issue, I will report the solution here. In the meanwhile I like to leave the issue open here.
Browsers use certificate AIA information while Java/Linux do not (by default). Your server in question may be configured to provide the certificate but not the certificates up to a trust anchor recognized by your Java application. openssl (s_client) or https://certcheckerapp.com/ can help you see what the server is actually returning.
This question already has answers here:
"PKIX path building failed" and "unable to find valid certification path to requested target"
(53 answers)
Unable to find valid certification path to requested target - error even after cert imported
(17 answers)
Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
(29 answers)
Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
(33 answers)
Closed 7 months ago.
I am using weblogic server which has keystores in use like :
Now when my application running on this server tries to download images from another server, it throws
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
I have added server certificates to these both DemoTrust.jks and JDK CACERTS using this link :
after adding certificates, it looks like :
And java certs has
As suggested by different posts, I have also added to startWeblogic.cmd
set JAVA_OPTIONS=%JAVA_OPTIONS% -Dweblogic.security.SSL.verbose=true
set JAVA_OPTIONS=%JAVA_OPTIONS% -Dweblogic.security.SSL.enable.renegotiation=true
set JAVA_OPTIONS=%JAVA_OPTIONS% -Dsun.security.ssl.allowUnsafeRenegotiation=true
Am I missing something ? Any Suggestions ?
Edit 1 : Adding exception stacktrace
vax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at weblogic.security.SSL.jsseadapter.JaSSLEngine$1.run(JaSSLEngine.java:69)
at weblogic.security.SSL.jsseadapter.JaSSLEngine.doAction(JaSSLEngine.java:743)
at weblogic.security.SSL.jsseadapter.JaSSLEngine.wrap(JaSSLEngine.java:67)
at weblogic.socket.JSSEFilterImpl.wrapAndWrite(JSSEFilterImpl.java:771)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:119)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:87)
at weblogic.socket.JSSESocket.startHandshake(JSSESocket.java:250)
at weblogic.net.http.HttpsClient.New(HttpsClient.java:577)
at weblogic.net.http.HttpsClient.New(HttpsClient.java:557)
at weblogic.net.http.HttpsURLConnection.connect(HttpsURLConnection.java:265)
at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:651)
at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:628)
at org.jsoup.helper.HttpConnection.execute(HttpConnection.java:260)
at org.jsoup.helper.HttpConnection.get(HttpConnection.java:249)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
at com.oracle.pitchfork.intercept.MethodInvocationInvocationContext.proceed(MethodInvocationInvocationContext.java:101)
at com.oracle.pitchfork.intercept.JeeInterceptorInterceptor.invoke(JeeInterceptorInterceptor.java:101)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at com.oracle.pitchfork.intercept.MethodInvocationInvocationContext.proceed(MethodInvocationInvocationContext.java:101)
at org.jboss.weld.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:73)
at org.jboss.weld.ejb.SessionBeanInterceptor.aroundInvoke(SessionBeanInterceptor.java:52)
at sun.reflect.GeneratedMethodAccessor235.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.oracle.pitchfork.intercept.JeeInterceptorInterceptor.invoke(JeeInterceptorInterceptor.java:94)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:133)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:121)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
at com.sun.proxy.$Proxy254.execute(Unknown Source)
at weblogic.ejb.container.internal.SessionLocalMethodInvoker.invoke(SessionLocalMethodInvoker.java:33)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:992)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:989)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467)
at weblogic.socket.JSSEFilterImpl.doTasks(JSSEFilterImpl.java:223)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:123)
... 44 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:105)
at weblogic.security.SSL.jsseadapter.JaTrustManager.checkServerTrusted(JaTrustManager.java:128)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:999)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601)
... 52 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 60 more
Hello to whoever still looking for an answer,
Hope this helps you.
I also had similar issue in running my application in Jdeveloper 12.2.1.4.0.
Let me explain my situation and solution.
My application in Jdeveloper calls a REST api running in remote server.
I downloaded the cert from browser by loading the remote server URL. I uploaded to Demotrust.jks file in oracle middleware folder.
While running the application, I can see remote server cert appearing in Jdev logs (after turning on ssl debugging), but still the application was facing javax.net.ssl.SSLHandshakeException: General SSLEngine error while calling remote server REST api. I verified that the certificate is not expired.
In Weblogic admin console, I turned off Use KSS demo flag (Under Domain -> Security -> Advanced).
I have also set Hostname verification to None in SSL because its a wildcard certificate (Servers -> DefaultServer -> SSL -> advanced). Still getting the SSLEngine problem. I found one more thing that needs to be set correctly.
The remote server is running within corp network.
I found that proxy in Jdeveloper preferences is set to automatic. I set it to None (ofcourse test connection will fail and its ok) and restarted the server. With all of these configuration in place, the application is able to connect to REST API.
I installed OpenJDK 10. What I did was just unpack it, set the PATH variable and the JAVA_HOME variable.
Java even rejects the certificate of google.de (and all others I tried). I tested this by some dummy class that tries to connect. Outcome is:
C:\Users\Alexander\Downloads>java SSLPoke google.de 443
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:290)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:343)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:226)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:133)
at java.base/sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1947)
at java.base/sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1777)
at java.base/sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:264)
at java.base/sun.security.ssl.Handshaker.processLoop(Handshaker.java:1098)
at java.base/sun.security.ssl.Handshaker.processRecord(Handshaker.java:1026)
at java.base/sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137)
at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074)
at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
at java.base/sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402)
at java.base/sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:733)
at java.base/sun.security.ssl.AppOutputStream.write(AppOutputStream.java:67)
at java.base/sun.security.ssl.AppOutputStream.write(AppOutputStream.java:81)
at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 18 more
Found a lot on the net how to add special certs to java but i think in my java installation something is wrong in general.
So my question is what could cause such a thing???
You should verify root certificates inside the cacerts keystore. The file is stored in JAVA_HOME/jre/lib/security/cacerts (or JAVA_HOME/lib/security/cacerts in newer Java versions). As per OpenJDK 10 Now Includes Root CA Certificates post you can use keytool command to count them:
>jdk-10\bin\keytool -cacerts -list | find "Certificate" /c
Enter keystore password: changeit
80
Most likely your Java installation is corrupted and you should reinstall. Do note that OpenJDK is provided by multiple vendors and it could be that you are using an installer which doesn't install the root certificates.
Ended up installing oracle jdk 10 (also 10.0.2) and that works
C:\Users\Alexander\Downloads>java "SSLPoke" google.de 443
Successfully connected
When trying to clone a VSTS project repo to my Mac (via VS Code Terminal) I get the following certificate error
git clone https://abc-masked.visualstudio.com/Test/_git/Test.UI
Cloning into 'Test.UI'...
Configuration::loadGitConfiguration
Program::loadOperationArguments
Configuration::tryGetEntry
Configuration::tryGetEntry
Configuration::tryGetEntry
Configuration::tryGetEntry
Configuration::tryGetEntry
Configuration::tryGetEntry
Program::EnableTraceLogging
Program::get
targetUri = https://abc-masked.visualstudio.com/
Program::ComponentFactory::createSecureStore
Getting a persistent token store that must be secure
Getting a persistent credential store that must be secure
Program::createAuthentication
detecting authority type
BaseVsoAuthentication::getAuthentication
BaseVsoAuthentication::detectAuthority
detected visualstudio.com, checking AAD vs MSA
Fatal error encountered. Details:
java.lang.Error: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.microsoft.alm.authentication.BaseVsoAuthentication.detectAuthority(BaseVsoAuthentication.java:293)
at com.microsoft.alm.authentication.BaseVsoAuthentication.getAuthentication(BaseVsoAuthentication.java:324)
at com.microsoft.alm.gitcredentialmanager.Program.createAuthentication(Program.java:915)
at com.microsoft.alm.gitcredentialmanager.Program$ComponentFactory.createAuthentication(Program.java:1174)
at com.microsoft.alm.gitcredentialmanager.Program.initialize(Program.java:883)
at com.microsoft.alm.gitcredentialmanager.Program.get(Program.java:292)
at com.microsoft.alm.gitcredentialmanager.Program.access$200(Program.java:63)
at com.microsoft.alm.gitcredentialmanager.Program$3.call(Program.java:284)
at com.microsoft.alm.gitcredentialmanager.Program$3.call(Program.java:281)
at com.microsoft.alm.gitcredentialmanager.Program.innerMain(Program.java:195)
at com.microsoft.alm.gitcredentialmanager.Program.main(Program.java:123)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:259)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1329)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1204)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1151)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:163)
at com.microsoft.alm.helpers.HttpClient.head(HttpClient.java:97)
at com.microsoft.alm.authentication.BaseVsoAuthentication.detectAuthority(BaseVsoAuthentication.java:277)
... 10 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:290)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:221)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1313)
... 25 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 31 more
fatal: credential helper '!java -Ddebug=true -Djava.net.useSystemProxies=true -jar /usr/local/Cellar/git-credential-manager/2.0.4/libexec/git-credential-manager-2.0.4.jar' told us to quit
I have tried the following:
Updated the Java version
I downloaded the certificate from my VSTS domain (abc-masked.visualstudio.com) and added it to the Java keystore but that did not help.
Also, I have git-credential-manager installed.
I am new to git, Can you please point me in the right direction?
Edit: This URL https://abc-masked.visualstudio.com/ when I open in the browser immediately redirects to https://dev.azure.com/abc-masked.So I added both *.dev.azure.com and *.visualstudio.com certs to both Mac keychain and Java Keystore
Virtually, you have to trust the certificate. Get trusted certificate to clone a repo. You can refer my github url, I am doing exactly the same to clone a repo.
https://github.com/debjava/ddlab-gitpusher-idea/blob/master/ddlab.gitpusher.core/src/main/java/com/ddlab/gitpusher/util/HTTPUtil.java
I have a JKS which I need for authentication to start making use of a SOAP webservice.
On my local machine (windows) all is working fine. For add the following to my startup parameters for Tomcat in Eclipse:
-Dsun.security.ssl.allowUnsafeRenegotiation=true -Djavax.net.ssl.keyStore="path\to\keystore\keystore.jks" -Djavax.net.ssl.keyStorePassword=passwordC -Djavax.net.ssl.keyStoreType=jks
In production (ubuntu) we have the following:
-Dsun.security.ssl.allowUnsafeRenegotiation=true -Djavax.net.ssl.keyStore=/path/to/keystore/keystore.jks -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.keyStoreType=jks"
I'm using Java 1.7.0.80 and Tomcat 7.0.61
When I want to connect with the SOAP webservice I get the following Stacktrace:
Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://www.correosexpress.com/wsp/services/GrabacionEnvio: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1359)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1343)
at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:56)
at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:215)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:652)
at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
... 121 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I checked the Java versions, tomcat versions.
I also checked if the path to the JKS is correct, which it is.
On my local machine, I did not install any other certificates manually. i.e I don't have any entry in the cacerts which is related to the content in the jks.
Check with java keytool that your certificate is present in certificates list.
Check that your java home and your jre are the same. In ubuntu it possible to have java_home with one version of java and default jre with other version(check this command - update-alternatives --config java)
If you added certificate to the correct version of java and it's present in certs list check that you use correct version of certificate.