When trying to clone a VSTS project repo to my Mac (via VS Code Terminal) I get the following certificate error
git clone https://abc-masked.visualstudio.com/Test/_git/Test.UI
Cloning into 'Test.UI'...
Configuration::loadGitConfiguration
Program::loadOperationArguments
Configuration::tryGetEntry
Configuration::tryGetEntry
Configuration::tryGetEntry
Configuration::tryGetEntry
Configuration::tryGetEntry
Configuration::tryGetEntry
Program::EnableTraceLogging
Program::get
targetUri = https://abc-masked.visualstudio.com/
Program::ComponentFactory::createSecureStore
Getting a persistent token store that must be secure
Getting a persistent credential store that must be secure
Program::createAuthentication
detecting authority type
BaseVsoAuthentication::getAuthentication
BaseVsoAuthentication::detectAuthority
detected visualstudio.com, checking AAD vs MSA
Fatal error encountered. Details:
java.lang.Error: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.microsoft.alm.authentication.BaseVsoAuthentication.detectAuthority(BaseVsoAuthentication.java:293)
at com.microsoft.alm.authentication.BaseVsoAuthentication.getAuthentication(BaseVsoAuthentication.java:324)
at com.microsoft.alm.gitcredentialmanager.Program.createAuthentication(Program.java:915)
at com.microsoft.alm.gitcredentialmanager.Program$ComponentFactory.createAuthentication(Program.java:1174)
at com.microsoft.alm.gitcredentialmanager.Program.initialize(Program.java:883)
at com.microsoft.alm.gitcredentialmanager.Program.get(Program.java:292)
at com.microsoft.alm.gitcredentialmanager.Program.access$200(Program.java:63)
at com.microsoft.alm.gitcredentialmanager.Program$3.call(Program.java:284)
at com.microsoft.alm.gitcredentialmanager.Program$3.call(Program.java:281)
at com.microsoft.alm.gitcredentialmanager.Program.innerMain(Program.java:195)
at com.microsoft.alm.gitcredentialmanager.Program.main(Program.java:123)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:259)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1329)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1204)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1151)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:163)
at com.microsoft.alm.helpers.HttpClient.head(HttpClient.java:97)
at com.microsoft.alm.authentication.BaseVsoAuthentication.detectAuthority(BaseVsoAuthentication.java:277)
... 10 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:290)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:221)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1313)
... 25 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 31 more
fatal: credential helper '!java -Ddebug=true -Djava.net.useSystemProxies=true -jar /usr/local/Cellar/git-credential-manager/2.0.4/libexec/git-credential-manager-2.0.4.jar' told us to quit
I have tried the following:
Updated the Java version
I downloaded the certificate from my VSTS domain (abc-masked.visualstudio.com) and added it to the Java keystore but that did not help.
Also, I have git-credential-manager installed.
I am new to git, Can you please point me in the right direction?
Edit: This URL https://abc-masked.visualstudio.com/ when I open in the browser immediately redirects to https://dev.azure.com/abc-masked.So I added both *.dev.azure.com and *.visualstudio.com certs to both Mac keychain and Java Keystore
Virtually, you have to trust the certificate. Get trusted certificate to clone a repo. You can refer my github url, I am doing exactly the same to clone a repo.
https://github.com/debjava/ddlab-gitpusher-idea/blob/master/ddlab.gitpusher.core/src/main/java/com/ddlab/gitpusher/util/HTTPUtil.java
Related
I am facing an issue where a TLS certificate (wildcard cert) is not resolved to a valid root cert in Java. Browsers (Firefox, Chrome) resolve it to be valid but not Java driven programs. We use a wildcart cert in our case.
certpath: Constraints: ...
...
...
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:349)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:287)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1426)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1336)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:450)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:421)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:374)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at org.llorllale.youtrack.api.DefaultProjects.get(DefaultProjects.java:80)
at com.company.youtrack.Main.main(Main.java:121)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
... 25 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
... 31 more
EDIT
I am running a YouTrack server inside our company network, not accessible from the internet. I configured the immediate certificate chain including the root certificate. But sadly the root certificate itself is not returned (tested it with openssl s_client).
I also like to mention that the server certificate is a wildcard certificate. I do not really know if that could lead to problems during verification...
EDIT
I know it is not best practice to return the self-signed root. Although I found comments throughout my research by people that state that sometimes it is necessary. I don't really know why it is necesssary to be sure... I analyzed code in PKIXValidator and it seemed to me that the validator is resolving the chain until it receives a cert whereby the issuer is equal to the subject. My problem is (as I analyzed with openssl s_client) that the server only returns the server cert and the 1st intermediate cert. But there's a 2nd intermediate cert and a root in addition. I filed a bug at youtrack. See https://youtrack.jetbrains.com/issue/JT-66316. There are comments which I did not made publicly available because of internals. When I resolved the issue, I will report the solution here. In the meanwhile I like to leave the issue open here.
Browsers use certificate AIA information while Java/Linux do not (by default). Your server in question may be configured to provide the certificate but not the certificates up to a trust anchor recognized by your Java application. openssl (s_client) or https://certcheckerapp.com/ can help you see what the server is actually returning.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 1 year ago.
Improve this question
I am trying to connect to Eclipse MQTT broker from https://mosquitto.org/ by using the sample code at
https://github.com/eclipse/paho.mqtt.java/blob/master/org.eclipse.paho.sample.mqttv3app/src/main/java/org/eclipse/paho/sample/mqttv3app/Sample.java
I generated the certificates with the instructions from this link.
http://www.steves-internet-guide.com/mosquitto-tls/
I tried many combination but it does not work. How can I get it working?
What should be values here?
case 'k': System.getProperties().put("javax.net.ssl.keyStore", args[++i]); break;
case 'w': System.getProperties().put("javax.net.ssl.keyStorePassword", args[++i]); break;
case 'r': System.getProperties().put("javax.net.ssl.trustStore", args[++i]); break;
I get this output
"C:\Program Files\JetBrains\IntelliJ IDEA 2021.1\jbr\bin\java.exe" "-javaagent:C:\Program Files\JetBrains\IntelliJ IDEA 2021.1\lib\idea_rt.jar=64136:C:\Program Files\JetBrains\IntelliJ IDEA 2021.1\bin" -Dfile.encoding=UTF-8 -classpath D:\Github\eclipse-paho\org.eclipse.paho.sample.mqttv3app\bin;D:\Github\eclipse-paho\org.eclipse.paho.sample.mqttv3app\lib\org.eclipse.paho.client.mqttv3-1.2.1.jar org.eclipse.paho.sample.mqttv3app.Sample
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.eclipse.paho.client.mqttv3.internal.FileLock (file:/D:/Github/eclipse-paho/org.eclipse.paho.sample.mqttv3app/lib/org.eclipse.paho.client.mqttv3-1.2.1.jar) to method sun.nio.ch.FileLockImpl.release()
WARNING: Please consider reporting this to the maintainers of org.eclipse.paho.client.mqttv3.internal.FileLock
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Connecting to ssl://Dactyl:8883 with client ID SampleJavaV3_publish
reason 0
msg MqttException
loc MqttException
cause javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
excep MqttException (0) - javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
MqttException (0) - javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38)
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:736)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:349)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:287)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1408)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1314)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)
at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:149)
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:722)
... 1 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
... 14 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
... 20 more
Process finished with exit code 0
As the help text clearly states
-r Use this JKS format keystore to verify the server
You need to generate Java KeyStores from the files you have.
Since you don't appear to have any client certs/keys we will assume you are just trying to verify the brokers certificate is issued by a trusted CA. So you will need to add the CA cert to a JKS and pass it with the -r option.
I am trying to download a CSV file through Spring Boot App listed here
https://github.com/koushikkothagal/coronavirus-tracker/
"https://raw.githubusercontent.com/CSSEGISandData/COVID-19/master/csse_covid_19_data/csse_covid_19_time_series/time_series_19-covid-Confirmed.csv";
Getting exception as listed below.
If I change to http - no errors but also file not found.
Please guide.
Result of executing java SSLPoke raw.githubusercontent.com 443
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:384)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:289)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1308)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1199)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1146)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:177)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1180)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1091)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:721)
at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:998)
at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:970)
at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:379)
... 20 more
Solved it! Here are the Steps...
Download & Compile InstallCert.java
Location
https://github.com/escline/InstallCert
Then, run
java InstallCert <host_url>:443
Accept all certificates.
Once done - a new jssecacerts file would be generated
Copy the newly generated jssecacerts file to your $JAVA_HOME\jre\lib\security folder.
That's it.
You need to manually import target site SSL certificate to your trust store. The certificate can be added to Java central trust store or your custom trust store and provide the trust store in jvm argument.
I am developing a Java application that provides a REST API over HTTP.
For security reasons this communication should be switched to HTTPS.
I generate a trusted certificate from Let's Encrypt using certbot tool, this certificate seems to be working when I call my API from Chrome browser, but I get this exception when I use a Java 1.8.0_191 client based on Spring RestTemplate:
Exception in thread "main"
org.springframework.web.client.ResourceAccessException: I/O error on GET
request for "https://hostname/api/v1/event":
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target; nested exception is
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at
org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:743)
at
org.springframework.web.client.RestTemplate.execute(RestTemplate.java:669)
at
org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:578)
at
com.swingws.wiser.tasks.GetFrimwareVersionTask.main(GetFrimwareVersionTask.
java:80)
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:
1639)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:
1367)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(
AbstractD
elegateHttpsURLConnection.java:185)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.connect
(HttpsURLConnectionImpl.java:162)
at
org.springframework.http.client.SimpleBufferingClientHttpRequest.
executeInternal(SimpleBufferingClientHttpRequest.java:76)
at
org.springframework.http.client.AbstractBufferingClientHttpRequest
.executeIntern
al(AbstractBufferingClientHttpRequest.java:48)
at org.springframework.http.client.AbstractClientHttpRequest.
execute(AbstractClient HttpRequest.java:53)
at
org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:734)
... 3 more
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:
324)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java
:229)
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(
X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(
ClientHandshaker.java:1621)
... 17 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.build(
SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(
SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 23 more
Is there any way to make this working without adding this certificate to Java clients keystore ?
We had the same issue and in our case the server that we contacted was misconfigured. It did not provide the full certificate chain. You can check that using this tool.
When the server is under your control, you should be able to configure this. When using Apache, you can configure this using SSLCertificateChainFile. See also this answer
I want to send my Error-Logs to my Graylog2 server with ssl. Unfortunately, I always get exceptions. I have installed my ssl/tls certificates in Java's cacerts. Also the certificate exists on my Graylog-Server.
Exceptions:
log4j:ERROR General SSLEngine problem
java.io.IOException: Cannot send data to 192.168.10.74:12202
at biz.paluch.logging.gelf.intern.sender.GelfTCPSender.sendMessage(GelfTCPSender.java:126)
at biz.paluch.logging.gelf.log4j.GelfLogAppender.append(GelfLogAppender.java:92)
at org.apache.log4j.AppenderSkeleton.doAppend(AppenderSkeleton.java:251)
at org.apache.log4j.helpers.AppenderAttachableImpl.appendLoopOnAppenders(AppenderAttachableImpl.java:66)
at org.apache.log4j.Category.callAppenders(Category.java:206)
at org.apache.log4j.Category.forcedLog(Category.java:391)
at org.apache.log4j.Category.error(Category.java:322)
at logging.J2Graylog.main(J2Graylog.java:19)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1336)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:519)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1169)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at biz.paluch.logging.gelf.intern.sender.GelfTCPSSLSender.doHandshake(GelfTCPSSLSender.java:200)
at biz.paluch.logging.gelf.intern.sender.GelfTCPSSLSender.connect(GelfTCPSSLSender.java:61)
at biz.paluch.logging.gelf.intern.sender.GelfTCPSender.sendMessage(GelfTCPSender.java:103)
... 7 more
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1703)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:281)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:901)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:841)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:839)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1273)
at biz.paluch.logging.gelf.intern.sender.GelfTCPSSLSender.doHandshake(GelfTCPSSLSender.java:240)
... 9 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:138)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1433)
... 16 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 22 more
log4j.properties:
log4j.appender.graylog2=biz.paluch.logging.gelf.log4j.GelfLogAppender
log4j.appender.graylog2.Host=ssl:myGraylogHost
log4j.appender.graylog2.Port=myPort
log4j.appender.graylog2.originHost=localhost
log4j.appender.graylog2.layout=org.apache.log4j.PatternLayout
log4j.appender.graylog2.layout.ConversionPattern=%d |%t|%c{1}| %-5p - %m%n
log4j.appender.graylog2.additionalFields={'environment': 'DEV', 'application': 'MyAPP'}
log4j.appender.graylog2.extractStackTrace=true
log4j.appender.graylog2.addExtendedInformation=true
log4j.appender.graylog2.Facility=gelf-java
Can someone tell me, why it throws so many exceptions?
Check following points
the code which is giving this exception is using which jre installation.go there and put certificate for your url.
you are using root certificate.
In addition to #jaydeep's post:
Verify the basic interoperability of your SSL setup. You can use a rather simple tool, see https://gist.github.com/4ndrej/4547029.
logstash-gelf provides some configuration options regarding SSL, see TCP Sender SSL documentation.
I noticed you're using IP addresses for the host name. Make sure your certificate contains the IP address as subject or Subject Alternative Name (IP SANs).