I'm trying to get tweets using twitter4j library for my java project which uses under the covers java.net.HttpURLConnection (as can be seen in stack trace). On my first run I got an error about certificate sun.security.validator.ValidatorException and sun.security.provider.certpath.SunCertPathBuilderException. Then I added twitter certificate by:
C:\Program Files\Java\jdk1.7.0_45\jre\lib\security>keytool -importcert -trustcacerts -file PathToCert -alias ca_alias -keystore "C:\Program Files\Java\jdk1.7.0_45\jre\lib\security\cacerts"
But without success. Here is the procedure to get tweets:
public static void main(String[] args) throws TwitterException {
ConfigurationBuilder cb = new ConfigurationBuilder();
cb.setDebugEnabled(true)
.setOAuthConsumerKey("myConsumerKey")
.setOAuthConsumerSecret("myConsumerSecret")
.setOAuthAccessToken("myAccessToken")
.setOAuthAccessTokenSecret("myAccessTokenSecret");
TwitterFactory tf = new TwitterFactory(cb.build());
Twitter twitter = tf.getInstance();
try {
Query query = new Query("iphone");
QueryResult result;
result = twitter.search(query);
System.out.println("Total amount of tweets: " + result.getTweets().size());
List<Status> tweets = result.getTweets();
for (Status tweet : tweets) {
System.out.println("#" + tweet.getUser().getScreenName() + " : " + tweet.getText());
}
} catch (TwitterException te) {
te.printStackTrace();
System.out.println("Failed to search tweets: " + te.getMessage());
}
And here is the error:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Relevant discussions can be found on the Internet at:
http://www.google.co.jp/search?q=d35baff5 or
http://www.google.co.jp/search?q=1446302e
TwitterException{exceptionCode=[d35baff5-1446302e 43208640-747fd158 43208640-747fd158 43208640-747fd158], statusCode=-1, message=null, code=-1, retryAfter=-1, rateLimitStatus=null, version=3.0.5}
at twitter4j.internal.http.HttpClientImpl.request(HttpClientImpl.java:177)
at twitter4j.internal.http.HttpClientWrapper.request(HttpClientWrapper.java:61)
at twitter4j.internal.http.HttpClientWrapper.get(HttpClientWrapper.java:81)
at twitter4j.TwitterImpl.get(TwitterImpl.java:1929)
at twitter4j.TwitterImpl.search(TwitterImpl.java:306)
at jku.cc.servlets.TweetsAnalyzer.main(TweetsAnalyzer.java:38)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
at twitter4j.internal.http.HttpResponseImpl.<init>(HttpResponseImpl.java:34)
at twitter4j.internal.http.HttpClientImpl.request(HttpClientImpl.java:141)
... 5 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 20 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 26 more
Failed to search tweets: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Go to URL in your browser:
firefox - click on HTTPS certificate chain (the lock icon right next to URL address). Click "more info" > "security" > "show certificate" > "details" > "export..". Pickup the name and choose file type example.cer
chrome - click on site icon left to address in address bar, select "Certificate" -> "Details" -> "Export" and save in format "Der-encoded binary, single certificate".
Now you have file with keystore and you have to add it to your JVM. Determine location of cacerts files, eg.
C:\Program Files (x86)\Java\jre1.6.0_22\lib\security\cacerts.
Next import the example.cer file into cacerts in command line (may need administrator command prompt):
keytool -import -alias example -keystore "C:\Program Files (x86)\Java\jre1.6.0_22\lib\security\cacerts" -file example.cer
You will be asked for password which default is changeit
Restart your JVM/PC.
source:
http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html
After many hours trying to build cert files to get my Java 6 installation working with the new twitter cert's, I finally stumbled onto an incredibly simple solution buried in a comment in one of the message boards. Just copy the cacerts file from a Java 7 installation and overwrite the one in your Java 6 installation. Probably best to make a backup of the cacerts file first, but then you just copy the new one in and BOOM! it just works.
Note that I actually copied a Windows cacerts file onto a Linux installation and it worked just fine.
The file is located in jre/lib/security/cacerts in both the old and new Java jdk installations.
Hope this saves someone else hours of aggravation.
MY UI approach:
Download keystore explorer from here
Open $JAVA_HOME/jre/lib/security/cacerts
enter PW: changeit (Can be changeme on Mac)
Import your .crt file
CMD-Line:
keytool -importcert -file jetty.crt -alias jetty -keystore $JAVA_HOME/jre/lib/security/cacerts
enter PW: changeit (Can be changeme on Mac)
1. Check the certificate
Try to load the target URL in browser and view the site's certificate (usually it's accessible by the icon with the lock sign. It's on the left or right side of the browser's address bar) whether it's expired or untrusted by other reason.
2. Install latest versions of JRE and JDK
New versions usually come with the updated set of the trusted certificates.
Also if it's possible, uninstall old versions. This will make misconfiguration errors explicit.
3. Check your configuration:
Check where your JAVA_HOME environment variable points to.
Check which java version you use to run the program. In IntelliJ check:
File -> Project Structure... -> Project Settings -> Project -> Project SDK:
File -> Project Structure... -> Platform Settings -> SDKs
4. Copy whole keystore from the new Java version
If you develop under the JDK other than the latest available - try to replace the %JAVA_HOME%/jre/lib/security/cacerts file with the new one from the latest installed JRE (make a backup copy first) as #jeremy-goodell suggests in his answer
5. Add certificate(s) to your keystore
If nothing above solves your problem use keytool to save certificate(s) to the Java's keystore:
keytool -trustcacerts -keystore "%JAVA_HOME%jre\lib\security\cacerts" -storepass changeit -importcert -alias <alias_name> -file <path_to_crt_file>
File with the certificate can be obtained from the browser as #MagGGG suggests in his answer.
Note 1: you may need to repeat this for every certificate in the chain to you site's certificate. Start from the root one.
Note 2: <alias_name> should be unique among the keys in the store or keytool will show an error.
To get list of all the certificates in the store you may run:
keytool -list -trustcacerts -keystore "%JAVA_HOME%jre\lib\security\cacerts" -storepass changeit
In case something goes wrong this will help you to remove certificate from the store:
keytool -delete -alias <alias_name> -keystore "%JAVA_HOME%jre\lib\security\cacerts" -storepass changeit
-Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true
It is used for jump the certificate validation.
Warning!
Only use for development purposes for this is unsecure!
I have stumbled upon this issue which took many hours of research to fix, specially with auto-generated certificates, which unlike Official ones, are quite tricky and Java does not like them that much.
Please check the following link: Solve Problem with certificates in Java
Basically you have to add the certificate from the server to the Java Home certs.
Generate or Get your certificate and configure Tomcat to use it in Servers.xml
Download the Java source code of the class InstallCert and execute it while the server is running, providing the following arguments server[:port]. No password is needed, as the original password works for the Java certs ("changeit").
The Program will connect to the server and Java will throw an exception, it will analyze the certificate provided by the server and allow you to create a jssecerts file inside the directory where you executed the Program (If executed from Eclipse then make sure you configure the Work directory in Run -> Configurations).
Manually copy that file to $JAVA_HOME/jre/lib/security
After following these steps, the connections with the certificate will not generate exceptions anymore within Java.
The following source code is important and it disappeared from (Sun) Oracle blogs, the only page I found it was on the link provided, therefore I am attaching it in the answer for any reference.
/*
* Copyright 2006 Sun Microsystems, Inc. All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* - Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of Sun Microsystems nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/**
* Originally from:
* http://blogs.sun.com/andreas/resource/InstallCert.java
* Use:
* java InstallCert hostname
* Example:
*% java InstallCert ecc.fedora.redhat.com
*/
import javax.net.ssl.*;
import java.io.*;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
/**
* Class used to add the server's certificate to the KeyStore
* with your trusted certificates.
*/
public class InstallCert {
public static void main(String[] args) throws Exception {
String host;
int port;
char[] passphrase;
if ((args.length == 1) || (args.length == 2)) {
String[] c = args[0].split(":");
host = c[0];
port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
String p = (args.length == 1) ? "changeit" : args[1];
passphrase = p.toCharArray();
} else {
System.out.println("Usage: java InstallCert [:port] [passphrase]");
return;
}
File file = new File("jssecacerts");
if (file.isFile() == false) {
char SEP = File.separatorChar;
File dir = new File(System.getProperty("java.home") + SEP
+ "lib" + SEP + "security");
file = new File(dir, "jssecacerts");
if (file.isFile() == false) {
file = new File(dir, "cacerts");
}
}
System.out.println("Loading KeyStore " + file + "...");
InputStream in = new FileInputStream(file);
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(in, passphrase);
in.close();
SSLContext context = SSLContext.getInstance("TLS");
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];
SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
context.init(null, new TrustManager[]{tm}, null);
SSLSocketFactory factory = context.getSocketFactory();
System.out.println("Opening connection to " + host + ":" + port + "...");
SSLSocket socket = (SSLSocket) factory.createSocket(host, port);
socket.setSoTimeout(10000);
try {
System.out.println("Starting SSL handshake...");
socket.startHandshake();
socket.close();
System.out.println();
System.out.println("No errors, certificate is already trusted");
} catch (SSLException e) {
System.out.println();
e.printStackTrace(System.out);
}
X509Certificate[] chain = tm.chain;
if (chain == null) {
System.out.println("Could not obtain server certificate chain");
return;
}
BufferedReader reader =
new BufferedReader(new InputStreamReader(System.in));
System.out.println();
System.out.println("Server sent " + chain.length + " certificate(s):");
System.out.println();
MessageDigest sha1 = MessageDigest.getInstance("SHA1");
MessageDigest md5 = MessageDigest.getInstance("MD5");
for (int i = 0; i < chain.length; i++) {
X509Certificate cert = chain[i];
System.out.println
(" " + (i + 1) + " Subject " + cert.getSubjectDN());
System.out.println(" Issuer " + cert.getIssuerDN());
sha1.update(cert.getEncoded());
System.out.println(" sha1 " + toHexString(sha1.digest()));
md5.update(cert.getEncoded());
System.out.println(" md5 " + toHexString(md5.digest()));
System.out.println();
}
System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
String line = reader.readLine().trim();
int k;
try {
k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
} catch (NumberFormatException e) {
System.out.println("KeyStore not changed");
return;
}
X509Certificate cert = chain[k];
String alias = host + "-" + (k + 1);
ks.setCertificateEntry(alias, cert);
OutputStream out = new FileOutputStream("jssecacerts");
ks.store(out, passphrase);
out.close();
System.out.println();
System.out.println(cert);
System.out.println();
System.out.println
("Added certificate to keystore 'jssecacerts' using alias '"
+ alias + "'");
}
private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();
private static String toHexString(byte[] bytes) {
StringBuilder sb = new StringBuilder(bytes.length * 3);
for (int b : bytes) {
b &= 0xff;
sb.append(HEXDIGITS[b >> 4]);
sb.append(HEXDIGITS[b & 15]);
sb.append(' ');
}
return sb.toString();
}
private static class SavingTrustManager implements X509TrustManager {
private final X509TrustManager tm;
private X509Certificate[] chain;
SavingTrustManager(X509TrustManager tm) {
this.tm = tm;
}
public X509Certificate[] getAcceptedIssuers() {
throw new UnsupportedOperationException();
}
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
throw new UnsupportedOperationException();
}
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
this.chain = chain;
tm.checkServerTrusted(chain, authType);
}
}
}
Mac
The accepted answer does not work for Mac as there is no Export button available in Mac (Chrome or Firefox). Please check this answer to download the certificate and follow the next steps as mentioned below:
List all certificates installed in the keystore:
cd $JAVA_HOME/lib/security
keytool -list -keystore cacerts
Notes:
The default password of the keystore is: changeit.
For Java-8 or lower version use the command, cd $JAVA_HOME/jre/lib/security
Before you import the certificate in the keystore, make a backup of the keystore:
sudo cp cacerts cacerts.bak
Import the downloaded certificate in the keystore:
sudo keytool -importcert -alias youralias -file /path/to/the/downloaded/certificate -keystore cacerts
Check if the certificate is stored in the keystore:
sudo keytool -list -keystore cacerts -alias youralias
If you want to see more detailed information, add the -v flag:
sudo keytool -v -list -keystore cacerts -alias youralias
I wanted to import certificate for smtp.gmail.com. The only solution that worked for me is
Enter command to view this certificate
D:\openssl\bin\openssl.exe s_client -connect smtp.gmail.com:465
Copy and save the lines between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- into a file, gmail.cer
Run
keytool -import -alias smtp.gmail.com -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file C:\Users\Admin\Desktop\gmail.cer
Enter password: changeit
Click "Yes" to import the certificate
Restart Java
Now run the command and you are good to go.
I had a slightly different situation, when both JDK and JRE 1.8.0_112 were present on my system.
I imported the new CA certificates into [JDK_FOLDER]\jre\lib\security\cacerts using the already known command:
keytool -import -trustcacerts -keystore cacerts -alias <new_ca_alias> -file <path_to_ca_cert_file>
Still, I kept getting the same PKIX path building failed error.
I added debug information to the java CLI, by using java -Djavax.net.debug=all ... > debug.log. In the debug.log file, the line that begins with trustStore is: actually pointed to the cacerts store found in [JRE_FOLDER]\lib\security\cacerts.
In my case the solution was to copy the cacerts file used by JDK (which had the new CAs added) over the one used by the JRE and that fixed the issue.
This isn't a Twitter-specific answer, but this is the question that comes up when you search for this error. If your system is receiving this error when connecting to a website that appears to have a valid certificate when viewed in a web browser, that probably means that website has an incomplete certificate chain.
For a brief summary of the problem: Certificate Authorities don't use their Root Certificate to sign just any old certificate. Instead, they (usually) sign intermediate certificates that also have the Certificate Authority flag set (that is, are allowed to sign certificates). Then when you purchase a certificate from a CA, they sign your CSR with one of these intermediate certificates.
Your Java trust store most likely only has the Root Cert, not the intermediate ones.
A misconfigured site might return just their signed cert. Problem: it was signed with an intermediate cert that's not in your trust store. Browsers will handle this problem by downloading or using a cached intermediate certificate; this maximizes website compatibility. Java and tools like OpenSSL, however, won't. And that will cause the error in the question.
You can verify this suspicion by using the Qualys SSL Test. If you run that against a site and it says
This server's certificate chain is incomplete.
then that confirms it. You can also see this by looking at the certification paths and seeing the text Extra Download.
How to fix it: the server administrator needs to configure the web server to return the intermediate certificates as well. For Comodo, for example, this is where the .ca-bundle file comes in handy. For example, in an Apache configuration with mod_ssl, you'd use the SSLCertificateChainFile configuration setting. For nginx, you need to concatenate the intermediate certificates and the signed certificate and use that in the SSL cert configuration. You can find more by searching for "incomplete certificate chain" online.
Issue Background:
I was getting following error when i try to run mvn clean install in my project and through Netbeans IDE clean and build option.
This issue is due to certificate not available when we download through NET beans IDE/through command prompt, but able to download the files through the browser.
Error:
Caused by: org.eclipse.aether.transfer.ArtifactTransferException: Could not transfer artifact com.java.project:product:jar:1.0.32 from/to repo-local (https://url/local-repo): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Resolution:
1. Download the certificate of the Url in question:
Launch IE by "run as adminstrator" (otherwise, we will not be able to download the certificate)
Enter the url in IE-> https://url/local-repo
(In my case this url had a untrusted certificate.)
Download the certificate by clicking on Certificate error -> view certificate
Select Details tab -> copy to file -> next -> select "DER encoded binary X.509 (.CER)
save the certificate in some location, example : c:/user/sheldon/desktop/product.cer
Congrats! you have successfully downloaded the certificate for the site
2. Now install the key store to fix the issue.
Run the keytool command to append the downloaded keystore into the
existing certificate file.
Command: Below command in the bin folder of jdk (JAVA_HOME).
C:\Program Files\Java\jdk1.8.0_141\jre\bin>keytool -importcert -file
"C:/user/sheldon/desktop/product.cer" -alias product -keystore
"C:/Program Files/Java/jdk1.8.0_141/jre/lib/security/cacerts".
You will be prompted to enter password. Enter keystore password:
enter "changeit" again for "Trust this certificate? [no]:", enter
"yes"
Sample command line commands/output:
keytool -importcert -file "C:/Users/sheldon/Desktop/product.cer" -alias product -keystore "C:/Program iles/Java/jdk1.8.0_141/jre/lib/security/cacerts"
Enter keystore password:
Trust this certificate? [no]: yes
Certificate was added to keystore
Contgrats! now you should have got rid of "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException" error in your Netbeans IDE.
This is a solution but in form of my story with this problem:
I was almost dead trying all the solutions given above(for 3 days ) and nothing worked for me.
I lost all hope.
I contacted my security team regarding this because I was behind a proxy and they told me that they had recently updated their security policy.
Later they issued a new "cacerts" file which contains all the certificates.
I removed the cacerts file which is present inside %JAVA_HOME%/jre/lib/security and it solved my problem.
So if you are facing this issue it might be from your network team also like this.
After struggling for half-day, found one more way to solve this problem. I was able to solve this in MAC 10.15.5 ( Catalina). Followed the below steps.
This problem occurs when we are running behind a company proxy , In my case its Zscaler.
Open Key chain access, export CA certificate.(Select CA certificate, File->export items and save with the desired name)
Copy the path of existing cacerts from java folder(/Library/Java/JavaVirtualMachines/jdk1.8.0_251.jdk/Contents/Home/jre/lib/security/cacerts
)
Open terminal and navigate to the Keytool folder (/Library/Java/JavaVirtualMachines/jdk1.8.0_251.jdk/Contents/Home/jre/bin
)
Run the below command.
Keytool -importcert - file (Path to exported cert from the keychainaccess) -alias (give a name) -keystore (Path of existing cacerts from java folder)
sudo Keytool -importcert -file /Users/Desktop/RootCA.cer -alias demo -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_251.jdk/Contents/Home/jre/lib/security/cacerts
It will ask for password , give it as : changeit
It asks for confirmation , Say : yes
After all of these steps, Quit eclipse and terminal start fresh session.
The reason, we get above error is that JDK is bundled with a lot of trusted Certificate Authority(CA) certificates into a file called ‘cacerts’ but this file has no clue of our self-signed certificate. In other words, the cacerts file doesn’t have our self-signed certificate imported and thus doesn’t treat it as a trusted entity and hence it gives the above error.
How to fix the above error
To fix the above error, all we need is to import the self-signed certificate into the cacerts file.
First, locate the cacerts file. We will need to find out the JDK location. If you are running your application through one of the IDE’s like Eclipse or IntelliJ Idea go to project settings and figure out what is the JDK location.
For e.g on a Mac OS typical location of cacerts file would be at this location /Library/Java/JavaVirtualMachines/ {{JDK_version}}/Contents/Home/jre/lib/security
on a Window’s machine it would be under {{Installation_directory}}/{{JDK_version}}/jre/lib/security
Once you have located the cacerts file, now we need to import our self-signed certificate to this cacerts file. Check the last article, if you don’t know how to generate the self-signed certificate correctly.
If you don’t have a certificate file(.crt) and just have a .jks file you can generate a .crt file by using below command. In case you already have a .crt/.pem file then you can ignore below command
##To generate certificate from keystore(.jks file) ####
keytool -export -keystore keystore.jks -alias selfsigned -file selfsigned.crt
Above step will generate a file called selfsigned.crt.Now Import the certificate to cacerts
Now add the certificate to JRE/lib/security/cacerts (trustore)
keytool -importcert -file selfsigned.crt -alias selfsigned -keystore {{cacerts path}}
for e.g
keytool -importcert -file selfsigned.nextgen.crt -alias selfsigned.nextgen -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_171.jdk/Contents/Home/jre/lib/security/cacerts
That’s all, restart your application and it should work fine. If it still doesn’t work and get an SSL handshake exception. It probably means you are using different domain then registered in the certificate.
The Link with detailed explanation and step by step resolution is over here.
I was facing the same issue and get it resolved using the below simple steps:
1) Download the InstallCert.java from google
2) Compile it using javac InstallCert.java
3) Run InstallCert.java using java InstallCert.java, with the hostname and https port, and press “1” when asking for input. It will add the “localhost” as a trusted keystore, and generate a file named “jssecacerts“ as below:
java InstallCert localhost:443
4) copy the jssecacerts into $JAVA_HOME/jre/lib/security folder
Main source to resolve the issue here is:
https://ankurjain26.blogspot.in/2017/11/javaxnetsslsslhandshakeexception.html
Problem is, your eclipse is not able to connect the site which actually it is trying to.
I have faced similar issue and below given solution worked for me.
Turn off any third party internet security application e.g. Zscaler
Sometimes also need to disconnect VPN if you are connected.
Thanks
Adding cacerts did not work for me.
After enabling log with flag -Djavax.net.debug=all, then came to know java reading from jssecacerts.
Import to jssecacerts worked finally.
For me, certificate error popped up because I had fiddler running in background and that messes up with certificate. It acts as a proxy so close that and restart eclipse.
I came across this question while trying to install the Cucumber-Eclipse plugin in Eclipse via their update site. I received the same SunCertPathBuilderException error:
Unable to read repository at http://cucumber.io/cucumber-eclipse/update-site/content.xml.
Unable to read repository at http://cucumber.io/cucumber-eclipse/update-site/content.xml.
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
While some of the other answers are appropriate and helpful for this question's given situation, they were nevertheless unhelpful and misleading for my issue.
In my case, the issue was that the URL provided for their update site is:
https://cucumber.io/cucumber-eclipse/update-site
However when navigating to it via a browser, it redirected to (note the added ".github"):
http://cucumber.github.io/cucumber-eclipse/update-site/
So the resolution is to simply use the redirected version of the update site URL when adding the update site in eclipse.
goals:
use https connections
verify SSL chains
do not deal with cacerts
add certificate in runtime
do not lose certificates from cacerts
How to do it:
define own keystore
put certificate into keystore
redefine SSL default context with our custom class
???
profit
My Keystore wrapper file:
public class CertificateManager {
private final static Logger logger = Logger.getLogger(CertificateManager.class);
private String keyStoreLocation;
private String keyStorePassword;
private X509TrustManager myTrustManager;
private static KeyStore myTrustStore;
public CertificateManager(String keyStoreLocation, String keyStorePassword) throws Exception {
this.keyStoreLocation = keyStoreLocation;
this.keyStorePassword = keyStorePassword;
myTrustStore = createKeyStore(keyStoreLocation, keyStorePassword);
}
public void addCustomCertificate(String certFileName, String certificateAlias)
throws Exception {
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore) null);
Certificate certificate = myTrustStore.getCertificate(certificateAlias);
if (certificate == null) {
logger.info("Certificate not exists");
addCertificate(certFileName, certificateAlias);
} else {
logger.info("Certificate exists");
}
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(myTrustStore);
for (TrustManager tm : tmf.getTrustManagers()) {
if (tm instanceof X509TrustManager) {
setMytrustManager((X509TrustManager) tm);
logger.info("Trust manager found");
break;
}
}
}
private InputStream fullStream(String fname) throws IOException {
ClassLoader classLoader = getClass().getClassLoader();
InputStream resource = classLoader.getResourceAsStream(fname);
try {
if (resource != null) {
DataInputStream dis = new DataInputStream(resource);
byte[] bytes = new byte[dis.available()];
dis.readFully(bytes);
return new ByteArrayInputStream(bytes);
} else {
logger.info("resource not found");
}
} catch (Exception e) {
logger.error("exception in certificate fetching as resource", e);
}
return null;
}
public static KeyStore createKeyStore(String keystore, String pass) throws Exception {
try {
InputStream in = CertificateManager.class.getClass().getResourceAsStream(keystore);
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(in, pass.toCharArray());
logger.info("Keystore was created from resource file");
return keyStore;
} catch (Exception e) {
logger.info("Fail to create keystore from resource file");
}
File file = new File(keystore);
KeyStore keyStore = KeyStore.getInstance("JKS");
if (file.exists()) {
keyStore.load(new FileInputStream(file), pass.toCharArray());
logger.info("Default keystore loaded");
} else {
keyStore.load(null, null);
keyStore.store(new FileOutputStream(file), pass.toCharArray());
logger.info("New keystore created");
}
return keyStore;
}
private void addCertificate(String certFileName, String certificateAlias) throws CertificateException,
IOException, KeyStoreException, NoSuchAlgorithmException {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream certStream = fullStream(certFileName);
Certificate certs = cf.generateCertificate(certStream);
myTrustStore.setCertificateEntry(certificateAlias, certs);
FileOutputStream out = new FileOutputStream(getKeyStoreLocation());
myTrustStore.store(out, getKeyStorePassword().toCharArray());
out.close();
logger.info("Certificate pushed");
}
public String getKeyStoreLocation() {
return keyStoreLocation;
}
public String getKeyStorePassword() {
return keyStorePassword;
}
public X509TrustManager getMytrustManager() {
return myTrustManager;
}
public void setMytrustManager(X509TrustManager myTrustManager) {
this.myTrustManager = myTrustManager;
}
}
This class will create keystore if necessary, and will be able to manage certificates inside of it. Now class for SSL context:
public class CustomTrustManager implements X509TrustManager {
private final static Logger logger = Logger.getLogger(CertificateManager.class);
private static SSLSocketFactory socketFactory;
private static CustomTrustManager instance = new CustomTrustManager();
private static List<CertificateManager> register = new ArrayList<>();
public static CustomTrustManager getInstance() {
return instance;
}
private X509TrustManager defaultTm;
public void register(CertificateManager certificateManager) {
for(CertificateManager manager : register) {
if(manager == certificateManager) {
logger.info("Certificate manager already registered");
return;
}
}
register.add(certificateManager);
logger.info("New Certificate manager registered");
}
private CustomTrustManager() {
try {
String algorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm);
tmf.init((KeyStore) null);
boolean found = false;
for (TrustManager tm : tmf.getTrustManagers()) {
if (tm instanceof X509TrustManager) {
defaultTm = (X509TrustManager) tm;
found = true;
break;
}
}
if(found) {
logger.info("Default trust manager found");
} else {
logger.warn("Default trust manager was not found");
}
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[]{this}, null);
SSLContext.setDefault(sslContext);
socketFactory = sslContext.getSocketFactory();
HttpsURLConnection.setDefaultSSLSocketFactory(socketFactory);
logger.info("Custom trust manager was set");
} catch (NoSuchAlgorithmException | KeyManagementException | KeyStoreException e) {
logger.warn("Custom trust manager can't be set");
e.printStackTrace();
}
}
#Override
public X509Certificate[] getAcceptedIssuers() {
List<X509Certificate> out = new ArrayList<>();
if (defaultTm != null) {
out.addAll(Arrays.asList(defaultTm.getAcceptedIssuers()));
}
int defaultCount = out.size();
logger.info("Default trust manager contain " + defaultCount + " certficates");
for(CertificateManager manager : register) {
X509TrustManager customTrustManager = manager.getMytrustManager();
X509Certificate[] issuers = customTrustManager.getAcceptedIssuers();
out.addAll(Arrays.asList(issuers));
}
logger.info("Custom trust managers contain " + (out.size() - defaultCount) + " certficates");
X509Certificate[] arrayOut = new X509Certificate[out.size()];
return out.toArray(arrayOut);
}
#Override
public void checkServerTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
for(CertificateManager certificateManager : register) {
X509TrustManager customTrustManager = certificateManager.getMytrustManager();
try {
customTrustManager.checkServerTrusted(chain, authType);
logger.info("Certificate chain (server) was aproved by custom trust manager");
return;
} catch (Exception e) {
}
}
if (defaultTm != null) {
defaultTm.checkServerTrusted(chain, authType);
logger.info("Certificate chain (server) was aproved by default trust manager");
} else {
logger.info("Certificate chain (server) was rejected");
throw new CertificateException("Can't check server trusted certificate.");
}
}
#Override
public void checkClientTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
try {
if (defaultTm != null) {
defaultTm.checkClientTrusted(chain, authType);
logger.info("Certificate chain (client) was aproved by default trust manager");
} else {
throw new NullPointerException();
}
} catch (Exception e) {
for(CertificateManager certificateManager : register) {
X509TrustManager customTrustManager = certificateManager.getMytrustManager();
try {
customTrustManager.checkClientTrusted(chain, authType);
logger.info("Certificate chain (client) was aproved by custom trust manager");
return;
} catch (Exception e1) {
}
}
logger.info("Certificate chain (client) was rejected");
throw new CertificateException("Can't check client trusted certificate.");
}
}
public SSLSocketFactory getSocketFactory() {
return socketFactory;
}
}
This class made as singleton, because only one defaultSSL context allowed. So, now usage:
CertificateManager certificateManager = new CertificateManager("C:\\myapplication\\mykeystore.jks", "changeit");
String certificatePath = "C:\\myapplication\\public_key_for_your_ssl_service.crt";
try {
certificateManager.addCustomCertificate(certificatePath, "alias_for_public_key_for_your_ssl_service");
} catch (Exception e) {
log.error("Can't add custom certificate");
e.printStackTrace();
}
CustomTrustManager.getInstance().register(certificateManager);
Possibly, it will not work with this settings, because I keep certificate file inside of resource folder, so my path is not absolute. But generally, it work perfectly.
If your repository URL also work on HTTP and the security is not a concern, you can go to settings.xml (often, but not always, located in %USERPROFILE%/.m2) and replace HTTPS with HTTP for <repository> and <pluginRepository> URLs.
For example, this:
<repository>
<snapshots>
<enabled>false</enabled>
</snapshots>
<id>central</id>
<name>libs-release</name>
<url>https://<artifactory>/libs-release</url>
</repository>
should be replaced by this:
<repository>
<snapshots>
<enabled>false</enabled>
</snapshots>
<id>central</id>
<name>libs-release</name>
<url>https://<artifactory>/libs-release</url>
</repository>
I was using my own trust store rather than JRE one by passing arg -Djavax.net.ssl.trustStore=
I was getting this error regardless of certs in truststore. The issue for me was the ordering of of the properties passed on arg line.
When i put -Djavax.net.ssl.trustStore=& -Djavax.net.ssl.trustStorePassword= before -Dspring.config.location= & -jar args i was able to successfully invoke my rest call over https.
I solved this issue on Windows Server 2016 with Java 8, by importing cert from pkcs12 store to cacerts keystore.
Path to pkcs12 store:
C:\Apps\pkcs12.pfx
Path to Java cacerts:
C:\Program Files\Java\jre1.8.0_151\lib\security\cacerts
Path to keytool:
C:\Program Files\Java\jre1.8.0_151\bin
After possitioning to folder with keytool in command prompt (as administrator), command to import cert from pkcs12 to cacerts is as follows:
keytool -v -importkeystore -srckeystore C:\Apps\pkcs12.pfx -srcstoretype PKCS12 -destkeystore "C:\Program Files\Java\jre1.8.0_151\lib\security\cacerts" -deststoretype JKS
You will be prompted to:
1. enter destination keystore password (cacerts pasword, default is "changeit")
2. enter source keystore password (pkcs12 password)
For changes to take effect, restart server machine (or just restart JVM).
I ran into same issue but updating wrong jre on my linux machine. It is highly likely that tomcat is using different jre and your cli prompt is configured to use a different jre.
Make sure you are picking up the correct jre.
Step #1:
ps -ef | grep tomcat
You will see some thing like:
root 29855 1 3 17:54 pts/3 00:00:42 /usr/java/jdk1.7.0_79/jre/bin/java
Now use this:
keytool -import -alias example -keystore /usr/java/jdk1.7.0_79/jre/lib/security/cacerts -file cert.cer
PWD: changeit
*.cer file can be geneated as shown below: (or you can use your own)
openssl x509 -in cert.pem -outform pem -outform der -out cert.cer
If you are still getting this error
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
after executing the below command and restarting the java process
keytool -import -alias certificatealias -keystore C:\Program Files\Java\jre1.8.0_151\lib\security\cacerts -file certificate.cer
Then there is some issue in JDK. Try to install JDK from a trusted provider.
Once you reinstalled it from trusted provider you won't face this issue.
Simple Steps to resolve this Exception, (I did it on java 11),
First you need to Download the public SSL certificate file of the target domain that you are trying to call,for that
Open the target domain website in the chrome (Example: https://amazonservice.domain.com)
Click on the small lock icon before the URL in the browser
Click View certificates
Now Click on Certificate is valid as shown below
Now a new Popup will open as shown below,
Open the details tab
Select the RootCert at the top
Click Export and save the .cer file to your system in a directory
Now you have the public keystore of your target domain which you are trying to call in your java application,now we need to impot that keystore into you jre,for that go to the $JAVA_HOME/bin directory and run the following command
./keytool -importcert -alias someAliasName -keystore {JAVA_HOME}/lib/security/cacerts -file {PathToDownloads}/certificateFileName.cer
It will ask you for password, enter the password if you know, the default password for the certificate is changeit
References
https://confluence.atlassian.com/kb/how-to-import-a-public-ssl-certificate-into-a-jvm-867025849.html
https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-error-779355358.html
In case your host sits behind firewall/proxy , use following command in cmd:
keytool -J-Dhttps.proxyHost=<proxy_hostname> -J-Dhttps.proxyPort=<proxy_port> -printcert -rfc -sslserver <remote_host_name:remote_ssl_port>
Replace <proxy_hostname> and <proxy_port> with the HTTP proxy server that is configured. Replace <remote_host_name:remote_ssl_port> with one of the remote host (basically url) and port having the certification problem.
Take the last certificate content printed and copy it (also copy begin and end certificate). Paste it in text file and give .crt extension to it . Now import this certificate to cacerts using java keytool command and it should work .
keytool -importcert -file <filename>.crt -alias randomaliasname -keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit
1-First of all, import you'r crt file into {JAVA_HOME}/jre/security/cacerts, if you still faced with this exception, change you'r jdk version. For example from jdk1.8.0_17 to jdk1.8.0_231
I was facing this issue with Java 8 but it got solved after upgrading to Java 11
Here normally this kind of exception occurs when there is mismatch in the PATH of trusted certificate. Check the configuration or path where this server certificate is required for secured communication.
Related
I'm trying to get tweets using twitter4j library for my java project which uses under the covers java.net.HttpURLConnection (as can be seen in stack trace). On my first run I got an error about certificate sun.security.validator.ValidatorException and sun.security.provider.certpath.SunCertPathBuilderException. Then I added twitter certificate by:
C:\Program Files\Java\jdk1.7.0_45\jre\lib\security>keytool -importcert -trustcacerts -file PathToCert -alias ca_alias -keystore "C:\Program Files\Java\jdk1.7.0_45\jre\lib\security\cacerts"
But without success. Here is the procedure to get tweets:
public static void main(String[] args) throws TwitterException {
ConfigurationBuilder cb = new ConfigurationBuilder();
cb.setDebugEnabled(true)
.setOAuthConsumerKey("myConsumerKey")
.setOAuthConsumerSecret("myConsumerSecret")
.setOAuthAccessToken("myAccessToken")
.setOAuthAccessTokenSecret("myAccessTokenSecret");
TwitterFactory tf = new TwitterFactory(cb.build());
Twitter twitter = tf.getInstance();
try {
Query query = new Query("iphone");
QueryResult result;
result = twitter.search(query);
System.out.println("Total amount of tweets: " + result.getTweets().size());
List<Status> tweets = result.getTweets();
for (Status tweet : tweets) {
System.out.println("#" + tweet.getUser().getScreenName() + " : " + tweet.getText());
}
} catch (TwitterException te) {
te.printStackTrace();
System.out.println("Failed to search tweets: " + te.getMessage());
}
And here is the error:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Relevant discussions can be found on the Internet at:
http://www.google.co.jp/search?q=d35baff5 or
http://www.google.co.jp/search?q=1446302e
TwitterException{exceptionCode=[d35baff5-1446302e 43208640-747fd158 43208640-747fd158 43208640-747fd158], statusCode=-1, message=null, code=-1, retryAfter=-1, rateLimitStatus=null, version=3.0.5}
at twitter4j.internal.http.HttpClientImpl.request(HttpClientImpl.java:177)
at twitter4j.internal.http.HttpClientWrapper.request(HttpClientWrapper.java:61)
at twitter4j.internal.http.HttpClientWrapper.get(HttpClientWrapper.java:81)
at twitter4j.TwitterImpl.get(TwitterImpl.java:1929)
at twitter4j.TwitterImpl.search(TwitterImpl.java:306)
at jku.cc.servlets.TweetsAnalyzer.main(TweetsAnalyzer.java:38)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
at twitter4j.internal.http.HttpResponseImpl.<init>(HttpResponseImpl.java:34)
at twitter4j.internal.http.HttpClientImpl.request(HttpClientImpl.java:141)
... 5 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 20 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 26 more
Failed to search tweets: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Go to URL in your browser:
firefox - click on HTTPS certificate chain (the lock icon right next to URL address). Click "more info" > "security" > "show certificate" > "details" > "export..". Pickup the name and choose file type example.cer
chrome - click on site icon left to address in address bar, select "Certificate" -> "Details" -> "Export" and save in format "Der-encoded binary, single certificate".
Now you have file with keystore and you have to add it to your JVM. Determine location of cacerts files, eg.
C:\Program Files (x86)\Java\jre1.6.0_22\lib\security\cacerts.
Next import the example.cer file into cacerts in command line (may need administrator command prompt):
keytool -import -alias example -keystore "C:\Program Files (x86)\Java\jre1.6.0_22\lib\security\cacerts" -file example.cer
You will be asked for password which default is changeit
Restart your JVM/PC.
source:
http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html
After many hours trying to build cert files to get my Java 6 installation working with the new twitter cert's, I finally stumbled onto an incredibly simple solution buried in a comment in one of the message boards. Just copy the cacerts file from a Java 7 installation and overwrite the one in your Java 6 installation. Probably best to make a backup of the cacerts file first, but then you just copy the new one in and BOOM! it just works.
Note that I actually copied a Windows cacerts file onto a Linux installation and it worked just fine.
The file is located in jre/lib/security/cacerts in both the old and new Java jdk installations.
Hope this saves someone else hours of aggravation.
MY UI approach:
Download keystore explorer from here
Open $JAVA_HOME/jre/lib/security/cacerts
enter PW: changeit (Can be changeme on Mac)
Import your .crt file
CMD-Line:
keytool -importcert -file jetty.crt -alias jetty -keystore $JAVA_HOME/jre/lib/security/cacerts
enter PW: changeit (Can be changeme on Mac)
1. Check the certificate
Try to load the target URL in browser and view the site's certificate (usually it's accessible by the icon with the lock sign. It's on the left or right side of the browser's address bar) whether it's expired or untrusted by other reason.
2. Install latest versions of JRE and JDK
New versions usually come with the updated set of the trusted certificates.
Also if it's possible, uninstall old versions. This will make misconfiguration errors explicit.
3. Check your configuration:
Check where your JAVA_HOME environment variable points to.
Check which java version you use to run the program. In IntelliJ check:
File -> Project Structure... -> Project Settings -> Project -> Project SDK:
File -> Project Structure... -> Platform Settings -> SDKs
4. Copy whole keystore from the new Java version
If you develop under the JDK other than the latest available - try to replace the %JAVA_HOME%/jre/lib/security/cacerts file with the new one from the latest installed JRE (make a backup copy first) as #jeremy-goodell suggests in his answer
5. Add certificate(s) to your keystore
If nothing above solves your problem use keytool to save certificate(s) to the Java's keystore:
keytool -trustcacerts -keystore "%JAVA_HOME%jre\lib\security\cacerts" -storepass changeit -importcert -alias <alias_name> -file <path_to_crt_file>
File with the certificate can be obtained from the browser as #MagGGG suggests in his answer.
Note 1: you may need to repeat this for every certificate in the chain to you site's certificate. Start from the root one.
Note 2: <alias_name> should be unique among the keys in the store or keytool will show an error.
To get list of all the certificates in the store you may run:
keytool -list -trustcacerts -keystore "%JAVA_HOME%jre\lib\security\cacerts" -storepass changeit
In case something goes wrong this will help you to remove certificate from the store:
keytool -delete -alias <alias_name> -keystore "%JAVA_HOME%jre\lib\security\cacerts" -storepass changeit
-Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true
It is used for jump the certificate validation.
Warning!
Only use for development purposes for this is unsecure!
I have stumbled upon this issue which took many hours of research to fix, specially with auto-generated certificates, which unlike Official ones, are quite tricky and Java does not like them that much.
Please check the following link: Solve Problem with certificates in Java
Basically you have to add the certificate from the server to the Java Home certs.
Generate or Get your certificate and configure Tomcat to use it in Servers.xml
Download the Java source code of the class InstallCert and execute it while the server is running, providing the following arguments server[:port]. No password is needed, as the original password works for the Java certs ("changeit").
The Program will connect to the server and Java will throw an exception, it will analyze the certificate provided by the server and allow you to create a jssecerts file inside the directory where you executed the Program (If executed from Eclipse then make sure you configure the Work directory in Run -> Configurations).
Manually copy that file to $JAVA_HOME/jre/lib/security
After following these steps, the connections with the certificate will not generate exceptions anymore within Java.
The following source code is important and it disappeared from (Sun) Oracle blogs, the only page I found it was on the link provided, therefore I am attaching it in the answer for any reference.
/*
* Copyright 2006 Sun Microsystems, Inc. All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* - Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of Sun Microsystems nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/**
* Originally from:
* http://blogs.sun.com/andreas/resource/InstallCert.java
* Use:
* java InstallCert hostname
* Example:
*% java InstallCert ecc.fedora.redhat.com
*/
import javax.net.ssl.*;
import java.io.*;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
/**
* Class used to add the server's certificate to the KeyStore
* with your trusted certificates.
*/
public class InstallCert {
public static void main(String[] args) throws Exception {
String host;
int port;
char[] passphrase;
if ((args.length == 1) || (args.length == 2)) {
String[] c = args[0].split(":");
host = c[0];
port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
String p = (args.length == 1) ? "changeit" : args[1];
passphrase = p.toCharArray();
} else {
System.out.println("Usage: java InstallCert [:port] [passphrase]");
return;
}
File file = new File("jssecacerts");
if (file.isFile() == false) {
char SEP = File.separatorChar;
File dir = new File(System.getProperty("java.home") + SEP
+ "lib" + SEP + "security");
file = new File(dir, "jssecacerts");
if (file.isFile() == false) {
file = new File(dir, "cacerts");
}
}
System.out.println("Loading KeyStore " + file + "...");
InputStream in = new FileInputStream(file);
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(in, passphrase);
in.close();
SSLContext context = SSLContext.getInstance("TLS");
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];
SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
context.init(null, new TrustManager[]{tm}, null);
SSLSocketFactory factory = context.getSocketFactory();
System.out.println("Opening connection to " + host + ":" + port + "...");
SSLSocket socket = (SSLSocket) factory.createSocket(host, port);
socket.setSoTimeout(10000);
try {
System.out.println("Starting SSL handshake...");
socket.startHandshake();
socket.close();
System.out.println();
System.out.println("No errors, certificate is already trusted");
} catch (SSLException e) {
System.out.println();
e.printStackTrace(System.out);
}
X509Certificate[] chain = tm.chain;
if (chain == null) {
System.out.println("Could not obtain server certificate chain");
return;
}
BufferedReader reader =
new BufferedReader(new InputStreamReader(System.in));
System.out.println();
System.out.println("Server sent " + chain.length + " certificate(s):");
System.out.println();
MessageDigest sha1 = MessageDigest.getInstance("SHA1");
MessageDigest md5 = MessageDigest.getInstance("MD5");
for (int i = 0; i < chain.length; i++) {
X509Certificate cert = chain[i];
System.out.println
(" " + (i + 1) + " Subject " + cert.getSubjectDN());
System.out.println(" Issuer " + cert.getIssuerDN());
sha1.update(cert.getEncoded());
System.out.println(" sha1 " + toHexString(sha1.digest()));
md5.update(cert.getEncoded());
System.out.println(" md5 " + toHexString(md5.digest()));
System.out.println();
}
System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
String line = reader.readLine().trim();
int k;
try {
k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
} catch (NumberFormatException e) {
System.out.println("KeyStore not changed");
return;
}
X509Certificate cert = chain[k];
String alias = host + "-" + (k + 1);
ks.setCertificateEntry(alias, cert);
OutputStream out = new FileOutputStream("jssecacerts");
ks.store(out, passphrase);
out.close();
System.out.println();
System.out.println(cert);
System.out.println();
System.out.println
("Added certificate to keystore 'jssecacerts' using alias '"
+ alias + "'");
}
private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();
private static String toHexString(byte[] bytes) {
StringBuilder sb = new StringBuilder(bytes.length * 3);
for (int b : bytes) {
b &= 0xff;
sb.append(HEXDIGITS[b >> 4]);
sb.append(HEXDIGITS[b & 15]);
sb.append(' ');
}
return sb.toString();
}
private static class SavingTrustManager implements X509TrustManager {
private final X509TrustManager tm;
private X509Certificate[] chain;
SavingTrustManager(X509TrustManager tm) {
this.tm = tm;
}
public X509Certificate[] getAcceptedIssuers() {
throw new UnsupportedOperationException();
}
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
throw new UnsupportedOperationException();
}
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
this.chain = chain;
tm.checkServerTrusted(chain, authType);
}
}
}
Mac
The accepted answer does not work for Mac as there is no Export button available in Mac (Chrome or Firefox). Please check this answer to download the certificate and follow the next steps as mentioned below:
List all certificates installed in the keystore:
cd $JAVA_HOME/lib/security
keytool -list -keystore cacerts
Notes:
The default password of the keystore is: changeit.
For Java-8 or lower version use the command, cd $JAVA_HOME/jre/lib/security
Before you import the certificate in the keystore, make a backup of the keystore:
sudo cp cacerts cacerts.bak
Import the downloaded certificate in the keystore:
sudo keytool -importcert -alias youralias -file /path/to/the/downloaded/certificate -keystore cacerts
Check if the certificate is stored in the keystore:
sudo keytool -list -keystore cacerts -alias youralias
If you want to see more detailed information, add the -v flag:
sudo keytool -v -list -keystore cacerts -alias youralias
I wanted to import certificate for smtp.gmail.com. The only solution that worked for me is
Enter command to view this certificate
D:\openssl\bin\openssl.exe s_client -connect smtp.gmail.com:465
Copy and save the lines between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- into a file, gmail.cer
Run
keytool -import -alias smtp.gmail.com -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file C:\Users\Admin\Desktop\gmail.cer
Enter password: changeit
Click "Yes" to import the certificate
Restart Java
Now run the command and you are good to go.
I had a slightly different situation, when both JDK and JRE 1.8.0_112 were present on my system.
I imported the new CA certificates into [JDK_FOLDER]\jre\lib\security\cacerts using the already known command:
keytool -import -trustcacerts -keystore cacerts -alias <new_ca_alias> -file <path_to_ca_cert_file>
Still, I kept getting the same PKIX path building failed error.
I added debug information to the java CLI, by using java -Djavax.net.debug=all ... > debug.log. In the debug.log file, the line that begins with trustStore is: actually pointed to the cacerts store found in [JRE_FOLDER]\lib\security\cacerts.
In my case the solution was to copy the cacerts file used by JDK (which had the new CAs added) over the one used by the JRE and that fixed the issue.
This isn't a Twitter-specific answer, but this is the question that comes up when you search for this error. If your system is receiving this error when connecting to a website that appears to have a valid certificate when viewed in a web browser, that probably means that website has an incomplete certificate chain.
For a brief summary of the problem: Certificate Authorities don't use their Root Certificate to sign just any old certificate. Instead, they (usually) sign intermediate certificates that also have the Certificate Authority flag set (that is, are allowed to sign certificates). Then when you purchase a certificate from a CA, they sign your CSR with one of these intermediate certificates.
Your Java trust store most likely only has the Root Cert, not the intermediate ones.
A misconfigured site might return just their signed cert. Problem: it was signed with an intermediate cert that's not in your trust store. Browsers will handle this problem by downloading or using a cached intermediate certificate; this maximizes website compatibility. Java and tools like OpenSSL, however, won't. And that will cause the error in the question.
You can verify this suspicion by using the Qualys SSL Test. If you run that against a site and it says
This server's certificate chain is incomplete.
then that confirms it. You can also see this by looking at the certification paths and seeing the text Extra Download.
How to fix it: the server administrator needs to configure the web server to return the intermediate certificates as well. For Comodo, for example, this is where the .ca-bundle file comes in handy. For example, in an Apache configuration with mod_ssl, you'd use the SSLCertificateChainFile configuration setting. For nginx, you need to concatenate the intermediate certificates and the signed certificate and use that in the SSL cert configuration. You can find more by searching for "incomplete certificate chain" online.
Issue Background:
I was getting following error when i try to run mvn clean install in my project and through Netbeans IDE clean and build option.
This issue is due to certificate not available when we download through NET beans IDE/through command prompt, but able to download the files through the browser.
Error:
Caused by: org.eclipse.aether.transfer.ArtifactTransferException: Could not transfer artifact com.java.project:product:jar:1.0.32 from/to repo-local (https://url/local-repo): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Resolution:
1. Download the certificate of the Url in question:
Launch IE by "run as adminstrator" (otherwise, we will not be able to download the certificate)
Enter the url in IE-> https://url/local-repo
(In my case this url had a untrusted certificate.)
Download the certificate by clicking on Certificate error -> view certificate
Select Details tab -> copy to file -> next -> select "DER encoded binary X.509 (.CER)
save the certificate in some location, example : c:/user/sheldon/desktop/product.cer
Congrats! you have successfully downloaded the certificate for the site
2. Now install the key store to fix the issue.
Run the keytool command to append the downloaded keystore into the
existing certificate file.
Command: Below command in the bin folder of jdk (JAVA_HOME).
C:\Program Files\Java\jdk1.8.0_141\jre\bin>keytool -importcert -file
"C:/user/sheldon/desktop/product.cer" -alias product -keystore
"C:/Program Files/Java/jdk1.8.0_141/jre/lib/security/cacerts".
You will be prompted to enter password. Enter keystore password:
enter "changeit" again for "Trust this certificate? [no]:", enter
"yes"
Sample command line commands/output:
keytool -importcert -file "C:/Users/sheldon/Desktop/product.cer" -alias product -keystore "C:/Program iles/Java/jdk1.8.0_141/jre/lib/security/cacerts"
Enter keystore password:
Trust this certificate? [no]: yes
Certificate was added to keystore
Contgrats! now you should have got rid of "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException" error in your Netbeans IDE.
This is a solution but in form of my story with this problem:
I was almost dead trying all the solutions given above(for 3 days ) and nothing worked for me.
I lost all hope.
I contacted my security team regarding this because I was behind a proxy and they told me that they had recently updated their security policy.
Later they issued a new "cacerts" file which contains all the certificates.
I removed the cacerts file which is present inside %JAVA_HOME%/jre/lib/security and it solved my problem.
So if you are facing this issue it might be from your network team also like this.
After struggling for half-day, found one more way to solve this problem. I was able to solve this in MAC 10.15.5 ( Catalina). Followed the below steps.
This problem occurs when we are running behind a company proxy , In my case its Zscaler.
Open Key chain access, export CA certificate.(Select CA certificate, File->export items and save with the desired name)
Copy the path of existing cacerts from java folder(/Library/Java/JavaVirtualMachines/jdk1.8.0_251.jdk/Contents/Home/jre/lib/security/cacerts
)
Open terminal and navigate to the Keytool folder (/Library/Java/JavaVirtualMachines/jdk1.8.0_251.jdk/Contents/Home/jre/bin
)
Run the below command.
Keytool -importcert - file (Path to exported cert from the keychainaccess) -alias (give a name) -keystore (Path of existing cacerts from java folder)
sudo Keytool -importcert -file /Users/Desktop/RootCA.cer -alias demo -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_251.jdk/Contents/Home/jre/lib/security/cacerts
It will ask for password , give it as : changeit
It asks for confirmation , Say : yes
After all of these steps, Quit eclipse and terminal start fresh session.
The reason, we get above error is that JDK is bundled with a lot of trusted Certificate Authority(CA) certificates into a file called ‘cacerts’ but this file has no clue of our self-signed certificate. In other words, the cacerts file doesn’t have our self-signed certificate imported and thus doesn’t treat it as a trusted entity and hence it gives the above error.
How to fix the above error
To fix the above error, all we need is to import the self-signed certificate into the cacerts file.
First, locate the cacerts file. We will need to find out the JDK location. If you are running your application through one of the IDE’s like Eclipse or IntelliJ Idea go to project settings and figure out what is the JDK location.
For e.g on a Mac OS typical location of cacerts file would be at this location /Library/Java/JavaVirtualMachines/ {{JDK_version}}/Contents/Home/jre/lib/security
on a Window’s machine it would be under {{Installation_directory}}/{{JDK_version}}/jre/lib/security
Once you have located the cacerts file, now we need to import our self-signed certificate to this cacerts file. Check the last article, if you don’t know how to generate the self-signed certificate correctly.
If you don’t have a certificate file(.crt) and just have a .jks file you can generate a .crt file by using below command. In case you already have a .crt/.pem file then you can ignore below command
##To generate certificate from keystore(.jks file) ####
keytool -export -keystore keystore.jks -alias selfsigned -file selfsigned.crt
Above step will generate a file called selfsigned.crt.Now Import the certificate to cacerts
Now add the certificate to JRE/lib/security/cacerts (trustore)
keytool -importcert -file selfsigned.crt -alias selfsigned -keystore {{cacerts path}}
for e.g
keytool -importcert -file selfsigned.nextgen.crt -alias selfsigned.nextgen -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_171.jdk/Contents/Home/jre/lib/security/cacerts
That’s all, restart your application and it should work fine. If it still doesn’t work and get an SSL handshake exception. It probably means you are using different domain then registered in the certificate.
The Link with detailed explanation and step by step resolution is over here.
I was facing the same issue and get it resolved using the below simple steps:
1) Download the InstallCert.java from google
2) Compile it using javac InstallCert.java
3) Run InstallCert.java using java InstallCert.java, with the hostname and https port, and press “1” when asking for input. It will add the “localhost” as a trusted keystore, and generate a file named “jssecacerts“ as below:
java InstallCert localhost:443
4) copy the jssecacerts into $JAVA_HOME/jre/lib/security folder
Main source to resolve the issue here is:
https://ankurjain26.blogspot.in/2017/11/javaxnetsslsslhandshakeexception.html
Problem is, your eclipse is not able to connect the site which actually it is trying to.
I have faced similar issue and below given solution worked for me.
Turn off any third party internet security application e.g. Zscaler
Sometimes also need to disconnect VPN if you are connected.
Thanks
Adding cacerts did not work for me.
After enabling log with flag -Djavax.net.debug=all, then came to know java reading from jssecacerts.
Import to jssecacerts worked finally.
For me, certificate error popped up because I had fiddler running in background and that messes up with certificate. It acts as a proxy so close that and restart eclipse.
I came across this question while trying to install the Cucumber-Eclipse plugin in Eclipse via their update site. I received the same SunCertPathBuilderException error:
Unable to read repository at http://cucumber.io/cucumber-eclipse/update-site/content.xml.
Unable to read repository at http://cucumber.io/cucumber-eclipse/update-site/content.xml.
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
While some of the other answers are appropriate and helpful for this question's given situation, they were nevertheless unhelpful and misleading for my issue.
In my case, the issue was that the URL provided for their update site is:
https://cucumber.io/cucumber-eclipse/update-site
However when navigating to it via a browser, it redirected to (note the added ".github"):
http://cucumber.github.io/cucumber-eclipse/update-site/
So the resolution is to simply use the redirected version of the update site URL when adding the update site in eclipse.
goals:
use https connections
verify SSL chains
do not deal with cacerts
add certificate in runtime
do not lose certificates from cacerts
How to do it:
define own keystore
put certificate into keystore
redefine SSL default context with our custom class
???
profit
My Keystore wrapper file:
public class CertificateManager {
private final static Logger logger = Logger.getLogger(CertificateManager.class);
private String keyStoreLocation;
private String keyStorePassword;
private X509TrustManager myTrustManager;
private static KeyStore myTrustStore;
public CertificateManager(String keyStoreLocation, String keyStorePassword) throws Exception {
this.keyStoreLocation = keyStoreLocation;
this.keyStorePassword = keyStorePassword;
myTrustStore = createKeyStore(keyStoreLocation, keyStorePassword);
}
public void addCustomCertificate(String certFileName, String certificateAlias)
throws Exception {
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore) null);
Certificate certificate = myTrustStore.getCertificate(certificateAlias);
if (certificate == null) {
logger.info("Certificate not exists");
addCertificate(certFileName, certificateAlias);
} else {
logger.info("Certificate exists");
}
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(myTrustStore);
for (TrustManager tm : tmf.getTrustManagers()) {
if (tm instanceof X509TrustManager) {
setMytrustManager((X509TrustManager) tm);
logger.info("Trust manager found");
break;
}
}
}
private InputStream fullStream(String fname) throws IOException {
ClassLoader classLoader = getClass().getClassLoader();
InputStream resource = classLoader.getResourceAsStream(fname);
try {
if (resource != null) {
DataInputStream dis = new DataInputStream(resource);
byte[] bytes = new byte[dis.available()];
dis.readFully(bytes);
return new ByteArrayInputStream(bytes);
} else {
logger.info("resource not found");
}
} catch (Exception e) {
logger.error("exception in certificate fetching as resource", e);
}
return null;
}
public static KeyStore createKeyStore(String keystore, String pass) throws Exception {
try {
InputStream in = CertificateManager.class.getClass().getResourceAsStream(keystore);
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(in, pass.toCharArray());
logger.info("Keystore was created from resource file");
return keyStore;
} catch (Exception e) {
logger.info("Fail to create keystore from resource file");
}
File file = new File(keystore);
KeyStore keyStore = KeyStore.getInstance("JKS");
if (file.exists()) {
keyStore.load(new FileInputStream(file), pass.toCharArray());
logger.info("Default keystore loaded");
} else {
keyStore.load(null, null);
keyStore.store(new FileOutputStream(file), pass.toCharArray());
logger.info("New keystore created");
}
return keyStore;
}
private void addCertificate(String certFileName, String certificateAlias) throws CertificateException,
IOException, KeyStoreException, NoSuchAlgorithmException {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream certStream = fullStream(certFileName);
Certificate certs = cf.generateCertificate(certStream);
myTrustStore.setCertificateEntry(certificateAlias, certs);
FileOutputStream out = new FileOutputStream(getKeyStoreLocation());
myTrustStore.store(out, getKeyStorePassword().toCharArray());
out.close();
logger.info("Certificate pushed");
}
public String getKeyStoreLocation() {
return keyStoreLocation;
}
public String getKeyStorePassword() {
return keyStorePassword;
}
public X509TrustManager getMytrustManager() {
return myTrustManager;
}
public void setMytrustManager(X509TrustManager myTrustManager) {
this.myTrustManager = myTrustManager;
}
}
This class will create keystore if necessary, and will be able to manage certificates inside of it. Now class for SSL context:
public class CustomTrustManager implements X509TrustManager {
private final static Logger logger = Logger.getLogger(CertificateManager.class);
private static SSLSocketFactory socketFactory;
private static CustomTrustManager instance = new CustomTrustManager();
private static List<CertificateManager> register = new ArrayList<>();
public static CustomTrustManager getInstance() {
return instance;
}
private X509TrustManager defaultTm;
public void register(CertificateManager certificateManager) {
for(CertificateManager manager : register) {
if(manager == certificateManager) {
logger.info("Certificate manager already registered");
return;
}
}
register.add(certificateManager);
logger.info("New Certificate manager registered");
}
private CustomTrustManager() {
try {
String algorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm);
tmf.init((KeyStore) null);
boolean found = false;
for (TrustManager tm : tmf.getTrustManagers()) {
if (tm instanceof X509TrustManager) {
defaultTm = (X509TrustManager) tm;
found = true;
break;
}
}
if(found) {
logger.info("Default trust manager found");
} else {
logger.warn("Default trust manager was not found");
}
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[]{this}, null);
SSLContext.setDefault(sslContext);
socketFactory = sslContext.getSocketFactory();
HttpsURLConnection.setDefaultSSLSocketFactory(socketFactory);
logger.info("Custom trust manager was set");
} catch (NoSuchAlgorithmException | KeyManagementException | KeyStoreException e) {
logger.warn("Custom trust manager can't be set");
e.printStackTrace();
}
}
#Override
public X509Certificate[] getAcceptedIssuers() {
List<X509Certificate> out = new ArrayList<>();
if (defaultTm != null) {
out.addAll(Arrays.asList(defaultTm.getAcceptedIssuers()));
}
int defaultCount = out.size();
logger.info("Default trust manager contain " + defaultCount + " certficates");
for(CertificateManager manager : register) {
X509TrustManager customTrustManager = manager.getMytrustManager();
X509Certificate[] issuers = customTrustManager.getAcceptedIssuers();
out.addAll(Arrays.asList(issuers));
}
logger.info("Custom trust managers contain " + (out.size() - defaultCount) + " certficates");
X509Certificate[] arrayOut = new X509Certificate[out.size()];
return out.toArray(arrayOut);
}
#Override
public void checkServerTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
for(CertificateManager certificateManager : register) {
X509TrustManager customTrustManager = certificateManager.getMytrustManager();
try {
customTrustManager.checkServerTrusted(chain, authType);
logger.info("Certificate chain (server) was aproved by custom trust manager");
return;
} catch (Exception e) {
}
}
if (defaultTm != null) {
defaultTm.checkServerTrusted(chain, authType);
logger.info("Certificate chain (server) was aproved by default trust manager");
} else {
logger.info("Certificate chain (server) was rejected");
throw new CertificateException("Can't check server trusted certificate.");
}
}
#Override
public void checkClientTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
try {
if (defaultTm != null) {
defaultTm.checkClientTrusted(chain, authType);
logger.info("Certificate chain (client) was aproved by default trust manager");
} else {
throw new NullPointerException();
}
} catch (Exception e) {
for(CertificateManager certificateManager : register) {
X509TrustManager customTrustManager = certificateManager.getMytrustManager();
try {
customTrustManager.checkClientTrusted(chain, authType);
logger.info("Certificate chain (client) was aproved by custom trust manager");
return;
} catch (Exception e1) {
}
}
logger.info("Certificate chain (client) was rejected");
throw new CertificateException("Can't check client trusted certificate.");
}
}
public SSLSocketFactory getSocketFactory() {
return socketFactory;
}
}
This class made as singleton, because only one defaultSSL context allowed. So, now usage:
CertificateManager certificateManager = new CertificateManager("C:\\myapplication\\mykeystore.jks", "changeit");
String certificatePath = "C:\\myapplication\\public_key_for_your_ssl_service.crt";
try {
certificateManager.addCustomCertificate(certificatePath, "alias_for_public_key_for_your_ssl_service");
} catch (Exception e) {
log.error("Can't add custom certificate");
e.printStackTrace();
}
CustomTrustManager.getInstance().register(certificateManager);
Possibly, it will not work with this settings, because I keep certificate file inside of resource folder, so my path is not absolute. But generally, it work perfectly.
If your repository URL also work on HTTP and the security is not a concern, you can go to settings.xml (often, but not always, located in %USERPROFILE%/.m2) and replace HTTPS with HTTP for <repository> and <pluginRepository> URLs.
For example, this:
<repository>
<snapshots>
<enabled>false</enabled>
</snapshots>
<id>central</id>
<name>libs-release</name>
<url>https://<artifactory>/libs-release</url>
</repository>
should be replaced by this:
<repository>
<snapshots>
<enabled>false</enabled>
</snapshots>
<id>central</id>
<name>libs-release</name>
<url>https://<artifactory>/libs-release</url>
</repository>
I was using my own trust store rather than JRE one by passing arg -Djavax.net.ssl.trustStore=
I was getting this error regardless of certs in truststore. The issue for me was the ordering of of the properties passed on arg line.
When i put -Djavax.net.ssl.trustStore=& -Djavax.net.ssl.trustStorePassword= before -Dspring.config.location= & -jar args i was able to successfully invoke my rest call over https.
I solved this issue on Windows Server 2016 with Java 8, by importing cert from pkcs12 store to cacerts keystore.
Path to pkcs12 store:
C:\Apps\pkcs12.pfx
Path to Java cacerts:
C:\Program Files\Java\jre1.8.0_151\lib\security\cacerts
Path to keytool:
C:\Program Files\Java\jre1.8.0_151\bin
After possitioning to folder with keytool in command prompt (as administrator), command to import cert from pkcs12 to cacerts is as follows:
keytool -v -importkeystore -srckeystore C:\Apps\pkcs12.pfx -srcstoretype PKCS12 -destkeystore "C:\Program Files\Java\jre1.8.0_151\lib\security\cacerts" -deststoretype JKS
You will be prompted to:
1. enter destination keystore password (cacerts pasword, default is "changeit")
2. enter source keystore password (pkcs12 password)
For changes to take effect, restart server machine (or just restart JVM).
I ran into same issue but updating wrong jre on my linux machine. It is highly likely that tomcat is using different jre and your cli prompt is configured to use a different jre.
Make sure you are picking up the correct jre.
Step #1:
ps -ef | grep tomcat
You will see some thing like:
root 29855 1 3 17:54 pts/3 00:00:42 /usr/java/jdk1.7.0_79/jre/bin/java
Now use this:
keytool -import -alias example -keystore /usr/java/jdk1.7.0_79/jre/lib/security/cacerts -file cert.cer
PWD: changeit
*.cer file can be geneated as shown below: (or you can use your own)
openssl x509 -in cert.pem -outform pem -outform der -out cert.cer
If you are still getting this error
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
after executing the below command and restarting the java process
keytool -import -alias certificatealias -keystore C:\Program Files\Java\jre1.8.0_151\lib\security\cacerts -file certificate.cer
Then there is some issue in JDK. Try to install JDK from a trusted provider.
Once you reinstalled it from trusted provider you won't face this issue.
Simple Steps to resolve this Exception, (I did it on java 11),
First you need to Download the public SSL certificate file of the target domain that you are trying to call,for that
Open the target domain website in the chrome (Example: https://amazonservice.domain.com)
Click on the small lock icon before the URL in the browser
Click View certificates
Now Click on Certificate is valid as shown below
Now a new Popup will open as shown below,
Open the details tab
Select the RootCert at the top
Click Export and save the .cer file to your system in a directory
Now you have the public keystore of your target domain which you are trying to call in your java application,now we need to impot that keystore into you jre,for that go to the $JAVA_HOME/bin directory and run the following command
./keytool -importcert -alias someAliasName -keystore {JAVA_HOME}/lib/security/cacerts -file {PathToDownloads}/certificateFileName.cer
It will ask you for password, enter the password if you know, the default password for the certificate is changeit
References
https://confluence.atlassian.com/kb/how-to-import-a-public-ssl-certificate-into-a-jvm-867025849.html
https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-error-779355358.html
In case your host sits behind firewall/proxy , use following command in cmd:
keytool -J-Dhttps.proxyHost=<proxy_hostname> -J-Dhttps.proxyPort=<proxy_port> -printcert -rfc -sslserver <remote_host_name:remote_ssl_port>
Replace <proxy_hostname> and <proxy_port> with the HTTP proxy server that is configured. Replace <remote_host_name:remote_ssl_port> with one of the remote host (basically url) and port having the certification problem.
Take the last certificate content printed and copy it (also copy begin and end certificate). Paste it in text file and give .crt extension to it . Now import this certificate to cacerts using java keytool command and it should work .
keytool -importcert -file <filename>.crt -alias randomaliasname -keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit
1-First of all, import you'r crt file into {JAVA_HOME}/jre/security/cacerts, if you still faced with this exception, change you'r jdk version. For example from jdk1.8.0_17 to jdk1.8.0_231
I was facing this issue with Java 8 but it got solved after upgrading to Java 11
Here normally this kind of exception occurs when there is mismatch in the PATH of trusted certificate. Check the configuration or path where this server certificate is required for secured communication.
I'm trying to get tweets using twitter4j library for my java project which uses under the covers java.net.HttpURLConnection (as can be seen in stack trace). On my first run I got an error about certificate sun.security.validator.ValidatorException and sun.security.provider.certpath.SunCertPathBuilderException. Then I added twitter certificate by:
C:\Program Files\Java\jdk1.7.0_45\jre\lib\security>keytool -importcert -trustcacerts -file PathToCert -alias ca_alias -keystore "C:\Program Files\Java\jdk1.7.0_45\jre\lib\security\cacerts"
But without success. Here is the procedure to get tweets:
public static void main(String[] args) throws TwitterException {
ConfigurationBuilder cb = new ConfigurationBuilder();
cb.setDebugEnabled(true)
.setOAuthConsumerKey("myConsumerKey")
.setOAuthConsumerSecret("myConsumerSecret")
.setOAuthAccessToken("myAccessToken")
.setOAuthAccessTokenSecret("myAccessTokenSecret");
TwitterFactory tf = new TwitterFactory(cb.build());
Twitter twitter = tf.getInstance();
try {
Query query = new Query("iphone");
QueryResult result;
result = twitter.search(query);
System.out.println("Total amount of tweets: " + result.getTweets().size());
List<Status> tweets = result.getTweets();
for (Status tweet : tweets) {
System.out.println("#" + tweet.getUser().getScreenName() + " : " + tweet.getText());
}
} catch (TwitterException te) {
te.printStackTrace();
System.out.println("Failed to search tweets: " + te.getMessage());
}
And here is the error:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Relevant discussions can be found on the Internet at:
http://www.google.co.jp/search?q=d35baff5 or
http://www.google.co.jp/search?q=1446302e
TwitterException{exceptionCode=[d35baff5-1446302e 43208640-747fd158 43208640-747fd158 43208640-747fd158], statusCode=-1, message=null, code=-1, retryAfter=-1, rateLimitStatus=null, version=3.0.5}
at twitter4j.internal.http.HttpClientImpl.request(HttpClientImpl.java:177)
at twitter4j.internal.http.HttpClientWrapper.request(HttpClientWrapper.java:61)
at twitter4j.internal.http.HttpClientWrapper.get(HttpClientWrapper.java:81)
at twitter4j.TwitterImpl.get(TwitterImpl.java:1929)
at twitter4j.TwitterImpl.search(TwitterImpl.java:306)
at jku.cc.servlets.TweetsAnalyzer.main(TweetsAnalyzer.java:38)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
at twitter4j.internal.http.HttpResponseImpl.<init>(HttpResponseImpl.java:34)
at twitter4j.internal.http.HttpClientImpl.request(HttpClientImpl.java:141)
... 5 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 20 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 26 more
Failed to search tweets: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Go to URL in your browser:
firefox - click on HTTPS certificate chain (the lock icon right next to URL address). Click "more info" > "security" > "show certificate" > "details" > "export..". Pickup the name and choose file type example.cer
chrome - click on site icon left to address in address bar, select "Certificate" -> "Details" -> "Export" and save in format "Der-encoded binary, single certificate".
Now you have file with keystore and you have to add it to your JVM. Determine location of cacerts files, eg.
C:\Program Files (x86)\Java\jre1.6.0_22\lib\security\cacerts.
Next import the example.cer file into cacerts in command line (may need administrator command prompt):
keytool -import -alias example -keystore "C:\Program Files (x86)\Java\jre1.6.0_22\lib\security\cacerts" -file example.cer
You will be asked for password which default is changeit
Restart your JVM/PC.
source:
http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html
After many hours trying to build cert files to get my Java 6 installation working with the new twitter cert's, I finally stumbled onto an incredibly simple solution buried in a comment in one of the message boards. Just copy the cacerts file from a Java 7 installation and overwrite the one in your Java 6 installation. Probably best to make a backup of the cacerts file first, but then you just copy the new one in and BOOM! it just works.
Note that I actually copied a Windows cacerts file onto a Linux installation and it worked just fine.
The file is located in jre/lib/security/cacerts in both the old and new Java jdk installations.
Hope this saves someone else hours of aggravation.
MY UI approach:
Download keystore explorer from here
Open $JAVA_HOME/jre/lib/security/cacerts
enter PW: changeit (Can be changeme on Mac)
Import your .crt file
CMD-Line:
keytool -importcert -file jetty.crt -alias jetty -keystore $JAVA_HOME/jre/lib/security/cacerts
enter PW: changeit (Can be changeme on Mac)
1. Check the certificate
Try to load the target URL in browser and view the site's certificate (usually it's accessible by the icon with the lock sign. It's on the left or right side of the browser's address bar) whether it's expired or untrusted by other reason.
2. Install latest versions of JRE and JDK
New versions usually come with the updated set of the trusted certificates.
Also if it's possible, uninstall old versions. This will make misconfiguration errors explicit.
3. Check your configuration:
Check where your JAVA_HOME environment variable points to.
Check which java version you use to run the program. In IntelliJ check:
File -> Project Structure... -> Project Settings -> Project -> Project SDK:
File -> Project Structure... -> Platform Settings -> SDKs
4. Copy whole keystore from the new Java version
If you develop under the JDK other than the latest available - try to replace the %JAVA_HOME%/jre/lib/security/cacerts file with the new one from the latest installed JRE (make a backup copy first) as #jeremy-goodell suggests in his answer
5. Add certificate(s) to your keystore
If nothing above solves your problem use keytool to save certificate(s) to the Java's keystore:
keytool -trustcacerts -keystore "%JAVA_HOME%jre\lib\security\cacerts" -storepass changeit -importcert -alias <alias_name> -file <path_to_crt_file>
File with the certificate can be obtained from the browser as #MagGGG suggests in his answer.
Note 1: you may need to repeat this for every certificate in the chain to you site's certificate. Start from the root one.
Note 2: <alias_name> should be unique among the keys in the store or keytool will show an error.
To get list of all the certificates in the store you may run:
keytool -list -trustcacerts -keystore "%JAVA_HOME%jre\lib\security\cacerts" -storepass changeit
In case something goes wrong this will help you to remove certificate from the store:
keytool -delete -alias <alias_name> -keystore "%JAVA_HOME%jre\lib\security\cacerts" -storepass changeit
-Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true
It is used for jump the certificate validation.
Warning!
Only use for development purposes for this is unsecure!
I have stumbled upon this issue which took many hours of research to fix, specially with auto-generated certificates, which unlike Official ones, are quite tricky and Java does not like them that much.
Please check the following link: Solve Problem with certificates in Java
Basically you have to add the certificate from the server to the Java Home certs.
Generate or Get your certificate and configure Tomcat to use it in Servers.xml
Download the Java source code of the class InstallCert and execute it while the server is running, providing the following arguments server[:port]. No password is needed, as the original password works for the Java certs ("changeit").
The Program will connect to the server and Java will throw an exception, it will analyze the certificate provided by the server and allow you to create a jssecerts file inside the directory where you executed the Program (If executed from Eclipse then make sure you configure the Work directory in Run -> Configurations).
Manually copy that file to $JAVA_HOME/jre/lib/security
After following these steps, the connections with the certificate will not generate exceptions anymore within Java.
The following source code is important and it disappeared from (Sun) Oracle blogs, the only page I found it was on the link provided, therefore I am attaching it in the answer for any reference.
/*
* Copyright 2006 Sun Microsystems, Inc. All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* - Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of Sun Microsystems nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/**
* Originally from:
* http://blogs.sun.com/andreas/resource/InstallCert.java
* Use:
* java InstallCert hostname
* Example:
*% java InstallCert ecc.fedora.redhat.com
*/
import javax.net.ssl.*;
import java.io.*;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
/**
* Class used to add the server's certificate to the KeyStore
* with your trusted certificates.
*/
public class InstallCert {
public static void main(String[] args) throws Exception {
String host;
int port;
char[] passphrase;
if ((args.length == 1) || (args.length == 2)) {
String[] c = args[0].split(":");
host = c[0];
port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
String p = (args.length == 1) ? "changeit" : args[1];
passphrase = p.toCharArray();
} else {
System.out.println("Usage: java InstallCert [:port] [passphrase]");
return;
}
File file = new File("jssecacerts");
if (file.isFile() == false) {
char SEP = File.separatorChar;
File dir = new File(System.getProperty("java.home") + SEP
+ "lib" + SEP + "security");
file = new File(dir, "jssecacerts");
if (file.isFile() == false) {
file = new File(dir, "cacerts");
}
}
System.out.println("Loading KeyStore " + file + "...");
InputStream in = new FileInputStream(file);
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(in, passphrase);
in.close();
SSLContext context = SSLContext.getInstance("TLS");
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];
SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
context.init(null, new TrustManager[]{tm}, null);
SSLSocketFactory factory = context.getSocketFactory();
System.out.println("Opening connection to " + host + ":" + port + "...");
SSLSocket socket = (SSLSocket) factory.createSocket(host, port);
socket.setSoTimeout(10000);
try {
System.out.println("Starting SSL handshake...");
socket.startHandshake();
socket.close();
System.out.println();
System.out.println("No errors, certificate is already trusted");
} catch (SSLException e) {
System.out.println();
e.printStackTrace(System.out);
}
X509Certificate[] chain = tm.chain;
if (chain == null) {
System.out.println("Could not obtain server certificate chain");
return;
}
BufferedReader reader =
new BufferedReader(new InputStreamReader(System.in));
System.out.println();
System.out.println("Server sent " + chain.length + " certificate(s):");
System.out.println();
MessageDigest sha1 = MessageDigest.getInstance("SHA1");
MessageDigest md5 = MessageDigest.getInstance("MD5");
for (int i = 0; i < chain.length; i++) {
X509Certificate cert = chain[i];
System.out.println
(" " + (i + 1) + " Subject " + cert.getSubjectDN());
System.out.println(" Issuer " + cert.getIssuerDN());
sha1.update(cert.getEncoded());
System.out.println(" sha1 " + toHexString(sha1.digest()));
md5.update(cert.getEncoded());
System.out.println(" md5 " + toHexString(md5.digest()));
System.out.println();
}
System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
String line = reader.readLine().trim();
int k;
try {
k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
} catch (NumberFormatException e) {
System.out.println("KeyStore not changed");
return;
}
X509Certificate cert = chain[k];
String alias = host + "-" + (k + 1);
ks.setCertificateEntry(alias, cert);
OutputStream out = new FileOutputStream("jssecacerts");
ks.store(out, passphrase);
out.close();
System.out.println();
System.out.println(cert);
System.out.println();
System.out.println
("Added certificate to keystore 'jssecacerts' using alias '"
+ alias + "'");
}
private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();
private static String toHexString(byte[] bytes) {
StringBuilder sb = new StringBuilder(bytes.length * 3);
for (int b : bytes) {
b &= 0xff;
sb.append(HEXDIGITS[b >> 4]);
sb.append(HEXDIGITS[b & 15]);
sb.append(' ');
}
return sb.toString();
}
private static class SavingTrustManager implements X509TrustManager {
private final X509TrustManager tm;
private X509Certificate[] chain;
SavingTrustManager(X509TrustManager tm) {
this.tm = tm;
}
public X509Certificate[] getAcceptedIssuers() {
throw new UnsupportedOperationException();
}
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
throw new UnsupportedOperationException();
}
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
this.chain = chain;
tm.checkServerTrusted(chain, authType);
}
}
}
Mac
The accepted answer does not work for Mac as there is no Export button available in Mac (Chrome or Firefox). Please check this answer to download the certificate and follow the next steps as mentioned below:
List all certificates installed in the keystore:
cd $JAVA_HOME/lib/security
keytool -list -keystore cacerts
Notes:
The default password of the keystore is: changeit.
For Java-8 or lower version use the command, cd $JAVA_HOME/jre/lib/security
Before you import the certificate in the keystore, make a backup of the keystore:
sudo cp cacerts cacerts.bak
Import the downloaded certificate in the keystore:
sudo keytool -importcert -alias youralias -file /path/to/the/downloaded/certificate -keystore cacerts
Check if the certificate is stored in the keystore:
sudo keytool -list -keystore cacerts -alias youralias
If you want to see more detailed information, add the -v flag:
sudo keytool -v -list -keystore cacerts -alias youralias
I wanted to import certificate for smtp.gmail.com. The only solution that worked for me is
Enter command to view this certificate
D:\openssl\bin\openssl.exe s_client -connect smtp.gmail.com:465
Copy and save the lines between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- into a file, gmail.cer
Run
keytool -import -alias smtp.gmail.com -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file C:\Users\Admin\Desktop\gmail.cer
Enter password: changeit
Click "Yes" to import the certificate
Restart Java
Now run the command and you are good to go.
I had a slightly different situation, when both JDK and JRE 1.8.0_112 were present on my system.
I imported the new CA certificates into [JDK_FOLDER]\jre\lib\security\cacerts using the already known command:
keytool -import -trustcacerts -keystore cacerts -alias <new_ca_alias> -file <path_to_ca_cert_file>
Still, I kept getting the same PKIX path building failed error.
I added debug information to the java CLI, by using java -Djavax.net.debug=all ... > debug.log. In the debug.log file, the line that begins with trustStore is: actually pointed to the cacerts store found in [JRE_FOLDER]\lib\security\cacerts.
In my case the solution was to copy the cacerts file used by JDK (which had the new CAs added) over the one used by the JRE and that fixed the issue.
This isn't a Twitter-specific answer, but this is the question that comes up when you search for this error. If your system is receiving this error when connecting to a website that appears to have a valid certificate when viewed in a web browser, that probably means that website has an incomplete certificate chain.
For a brief summary of the problem: Certificate Authorities don't use their Root Certificate to sign just any old certificate. Instead, they (usually) sign intermediate certificates that also have the Certificate Authority flag set (that is, are allowed to sign certificates). Then when you purchase a certificate from a CA, they sign your CSR with one of these intermediate certificates.
Your Java trust store most likely only has the Root Cert, not the intermediate ones.
A misconfigured site might return just their signed cert. Problem: it was signed with an intermediate cert that's not in your trust store. Browsers will handle this problem by downloading or using a cached intermediate certificate; this maximizes website compatibility. Java and tools like OpenSSL, however, won't. And that will cause the error in the question.
You can verify this suspicion by using the Qualys SSL Test. If you run that against a site and it says
This server's certificate chain is incomplete.
then that confirms it. You can also see this by looking at the certification paths and seeing the text Extra Download.
How to fix it: the server administrator needs to configure the web server to return the intermediate certificates as well. For Comodo, for example, this is where the .ca-bundle file comes in handy. For example, in an Apache configuration with mod_ssl, you'd use the SSLCertificateChainFile configuration setting. For nginx, you need to concatenate the intermediate certificates and the signed certificate and use that in the SSL cert configuration. You can find more by searching for "incomplete certificate chain" online.
Issue Background:
I was getting following error when i try to run mvn clean install in my project and through Netbeans IDE clean and build option.
This issue is due to certificate not available when we download through NET beans IDE/through command prompt, but able to download the files through the browser.
Error:
Caused by: org.eclipse.aether.transfer.ArtifactTransferException: Could not transfer artifact com.java.project:product:jar:1.0.32 from/to repo-local (https://url/local-repo): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Resolution:
1. Download the certificate of the Url in question:
Launch IE by "run as adminstrator" (otherwise, we will not be able to download the certificate)
Enter the url in IE-> https://url/local-repo
(In my case this url had a untrusted certificate.)
Download the certificate by clicking on Certificate error -> view certificate
Select Details tab -> copy to file -> next -> select "DER encoded binary X.509 (.CER)
save the certificate in some location, example : c:/user/sheldon/desktop/product.cer
Congrats! you have successfully downloaded the certificate for the site
2. Now install the key store to fix the issue.
Run the keytool command to append the downloaded keystore into the
existing certificate file.
Command: Below command in the bin folder of jdk (JAVA_HOME).
C:\Program Files\Java\jdk1.8.0_141\jre\bin>keytool -importcert -file
"C:/user/sheldon/desktop/product.cer" -alias product -keystore
"C:/Program Files/Java/jdk1.8.0_141/jre/lib/security/cacerts".
You will be prompted to enter password. Enter keystore password:
enter "changeit" again for "Trust this certificate? [no]:", enter
"yes"
Sample command line commands/output:
keytool -importcert -file "C:/Users/sheldon/Desktop/product.cer" -alias product -keystore "C:/Program iles/Java/jdk1.8.0_141/jre/lib/security/cacerts"
Enter keystore password:
Trust this certificate? [no]: yes
Certificate was added to keystore
Contgrats! now you should have got rid of "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException" error in your Netbeans IDE.
This is a solution but in form of my story with this problem:
I was almost dead trying all the solutions given above(for 3 days ) and nothing worked for me.
I lost all hope.
I contacted my security team regarding this because I was behind a proxy and they told me that they had recently updated their security policy.
Later they issued a new "cacerts" file which contains all the certificates.
I removed the cacerts file which is present inside %JAVA_HOME%/jre/lib/security and it solved my problem.
So if you are facing this issue it might be from your network team also like this.
After struggling for half-day, found one more way to solve this problem. I was able to solve this in MAC 10.15.5 ( Catalina). Followed the below steps.
This problem occurs when we are running behind a company proxy , In my case its Zscaler.
Open Key chain access, export CA certificate.(Select CA certificate, File->export items and save with the desired name)
Copy the path of existing cacerts from java folder(/Library/Java/JavaVirtualMachines/jdk1.8.0_251.jdk/Contents/Home/jre/lib/security/cacerts
)
Open terminal and navigate to the Keytool folder (/Library/Java/JavaVirtualMachines/jdk1.8.0_251.jdk/Contents/Home/jre/bin
)
Run the below command.
Keytool -importcert - file (Path to exported cert from the keychainaccess) -alias (give a name) -keystore (Path of existing cacerts from java folder)
sudo Keytool -importcert -file /Users/Desktop/RootCA.cer -alias demo -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_251.jdk/Contents/Home/jre/lib/security/cacerts
It will ask for password , give it as : changeit
It asks for confirmation , Say : yes
After all of these steps, Quit eclipse and terminal start fresh session.
The reason, we get above error is that JDK is bundled with a lot of trusted Certificate Authority(CA) certificates into a file called ‘cacerts’ but this file has no clue of our self-signed certificate. In other words, the cacerts file doesn’t have our self-signed certificate imported and thus doesn’t treat it as a trusted entity and hence it gives the above error.
How to fix the above error
To fix the above error, all we need is to import the self-signed certificate into the cacerts file.
First, locate the cacerts file. We will need to find out the JDK location. If you are running your application through one of the IDE’s like Eclipse or IntelliJ Idea go to project settings and figure out what is the JDK location.
For e.g on a Mac OS typical location of cacerts file would be at this location /Library/Java/JavaVirtualMachines/ {{JDK_version}}/Contents/Home/jre/lib/security
on a Window’s machine it would be under {{Installation_directory}}/{{JDK_version}}/jre/lib/security
Once you have located the cacerts file, now we need to import our self-signed certificate to this cacerts file. Check the last article, if you don’t know how to generate the self-signed certificate correctly.
If you don’t have a certificate file(.crt) and just have a .jks file you can generate a .crt file by using below command. In case you already have a .crt/.pem file then you can ignore below command
##To generate certificate from keystore(.jks file) ####
keytool -export -keystore keystore.jks -alias selfsigned -file selfsigned.crt
Above step will generate a file called selfsigned.crt.Now Import the certificate to cacerts
Now add the certificate to JRE/lib/security/cacerts (trustore)
keytool -importcert -file selfsigned.crt -alias selfsigned -keystore {{cacerts path}}
for e.g
keytool -importcert -file selfsigned.nextgen.crt -alias selfsigned.nextgen -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_171.jdk/Contents/Home/jre/lib/security/cacerts
That’s all, restart your application and it should work fine. If it still doesn’t work and get an SSL handshake exception. It probably means you are using different domain then registered in the certificate.
The Link with detailed explanation and step by step resolution is over here.
I was facing the same issue and get it resolved using the below simple steps:
1) Download the InstallCert.java from google
2) Compile it using javac InstallCert.java
3) Run InstallCert.java using java InstallCert.java, with the hostname and https port, and press “1” when asking for input. It will add the “localhost” as a trusted keystore, and generate a file named “jssecacerts“ as below:
java InstallCert localhost:443
4) copy the jssecacerts into $JAVA_HOME/jre/lib/security folder
Main source to resolve the issue here is:
https://ankurjain26.blogspot.in/2017/11/javaxnetsslsslhandshakeexception.html
Problem is, your eclipse is not able to connect the site which actually it is trying to.
I have faced similar issue and below given solution worked for me.
Turn off any third party internet security application e.g. Zscaler
Sometimes also need to disconnect VPN if you are connected.
Thanks
Adding cacerts did not work for me.
After enabling log with flag -Djavax.net.debug=all, then came to know java reading from jssecacerts.
Import to jssecacerts worked finally.
For me, certificate error popped up because I had fiddler running in background and that messes up with certificate. It acts as a proxy so close that and restart eclipse.
I came across this question while trying to install the Cucumber-Eclipse plugin in Eclipse via their update site. I received the same SunCertPathBuilderException error:
Unable to read repository at http://cucumber.io/cucumber-eclipse/update-site/content.xml.
Unable to read repository at http://cucumber.io/cucumber-eclipse/update-site/content.xml.
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
While some of the other answers are appropriate and helpful for this question's given situation, they were nevertheless unhelpful and misleading for my issue.
In my case, the issue was that the URL provided for their update site is:
https://cucumber.io/cucumber-eclipse/update-site
However when navigating to it via a browser, it redirected to (note the added ".github"):
http://cucumber.github.io/cucumber-eclipse/update-site/
So the resolution is to simply use the redirected version of the update site URL when adding the update site in eclipse.
goals:
use https connections
verify SSL chains
do not deal with cacerts
add certificate in runtime
do not lose certificates from cacerts
How to do it:
define own keystore
put certificate into keystore
redefine SSL default context with our custom class
???
profit
My Keystore wrapper file:
public class CertificateManager {
private final static Logger logger = Logger.getLogger(CertificateManager.class);
private String keyStoreLocation;
private String keyStorePassword;
private X509TrustManager myTrustManager;
private static KeyStore myTrustStore;
public CertificateManager(String keyStoreLocation, String keyStorePassword) throws Exception {
this.keyStoreLocation = keyStoreLocation;
this.keyStorePassword = keyStorePassword;
myTrustStore = createKeyStore(keyStoreLocation, keyStorePassword);
}
public void addCustomCertificate(String certFileName, String certificateAlias)
throws Exception {
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore) null);
Certificate certificate = myTrustStore.getCertificate(certificateAlias);
if (certificate == null) {
logger.info("Certificate not exists");
addCertificate(certFileName, certificateAlias);
} else {
logger.info("Certificate exists");
}
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(myTrustStore);
for (TrustManager tm : tmf.getTrustManagers()) {
if (tm instanceof X509TrustManager) {
setMytrustManager((X509TrustManager) tm);
logger.info("Trust manager found");
break;
}
}
}
private InputStream fullStream(String fname) throws IOException {
ClassLoader classLoader = getClass().getClassLoader();
InputStream resource = classLoader.getResourceAsStream(fname);
try {
if (resource != null) {
DataInputStream dis = new DataInputStream(resource);
byte[] bytes = new byte[dis.available()];
dis.readFully(bytes);
return new ByteArrayInputStream(bytes);
} else {
logger.info("resource not found");
}
} catch (Exception e) {
logger.error("exception in certificate fetching as resource", e);
}
return null;
}
public static KeyStore createKeyStore(String keystore, String pass) throws Exception {
try {
InputStream in = CertificateManager.class.getClass().getResourceAsStream(keystore);
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(in, pass.toCharArray());
logger.info("Keystore was created from resource file");
return keyStore;
} catch (Exception e) {
logger.info("Fail to create keystore from resource file");
}
File file = new File(keystore);
KeyStore keyStore = KeyStore.getInstance("JKS");
if (file.exists()) {
keyStore.load(new FileInputStream(file), pass.toCharArray());
logger.info("Default keystore loaded");
} else {
keyStore.load(null, null);
keyStore.store(new FileOutputStream(file), pass.toCharArray());
logger.info("New keystore created");
}
return keyStore;
}
private void addCertificate(String certFileName, String certificateAlias) throws CertificateException,
IOException, KeyStoreException, NoSuchAlgorithmException {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream certStream = fullStream(certFileName);
Certificate certs = cf.generateCertificate(certStream);
myTrustStore.setCertificateEntry(certificateAlias, certs);
FileOutputStream out = new FileOutputStream(getKeyStoreLocation());
myTrustStore.store(out, getKeyStorePassword().toCharArray());
out.close();
logger.info("Certificate pushed");
}
public String getKeyStoreLocation() {
return keyStoreLocation;
}
public String getKeyStorePassword() {
return keyStorePassword;
}
public X509TrustManager getMytrustManager() {
return myTrustManager;
}
public void setMytrustManager(X509TrustManager myTrustManager) {
this.myTrustManager = myTrustManager;
}
}
This class will create keystore if necessary, and will be able to manage certificates inside of it. Now class for SSL context:
public class CustomTrustManager implements X509TrustManager {
private final static Logger logger = Logger.getLogger(CertificateManager.class);
private static SSLSocketFactory socketFactory;
private static CustomTrustManager instance = new CustomTrustManager();
private static List<CertificateManager> register = new ArrayList<>();
public static CustomTrustManager getInstance() {
return instance;
}
private X509TrustManager defaultTm;
public void register(CertificateManager certificateManager) {
for(CertificateManager manager : register) {
if(manager == certificateManager) {
logger.info("Certificate manager already registered");
return;
}
}
register.add(certificateManager);
logger.info("New Certificate manager registered");
}
private CustomTrustManager() {
try {
String algorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm);
tmf.init((KeyStore) null);
boolean found = false;
for (TrustManager tm : tmf.getTrustManagers()) {
if (tm instanceof X509TrustManager) {
defaultTm = (X509TrustManager) tm;
found = true;
break;
}
}
if(found) {
logger.info("Default trust manager found");
} else {
logger.warn("Default trust manager was not found");
}
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[]{this}, null);
SSLContext.setDefault(sslContext);
socketFactory = sslContext.getSocketFactory();
HttpsURLConnection.setDefaultSSLSocketFactory(socketFactory);
logger.info("Custom trust manager was set");
} catch (NoSuchAlgorithmException | KeyManagementException | KeyStoreException e) {
logger.warn("Custom trust manager can't be set");
e.printStackTrace();
}
}
#Override
public X509Certificate[] getAcceptedIssuers() {
List<X509Certificate> out = new ArrayList<>();
if (defaultTm != null) {
out.addAll(Arrays.asList(defaultTm.getAcceptedIssuers()));
}
int defaultCount = out.size();
logger.info("Default trust manager contain " + defaultCount + " certficates");
for(CertificateManager manager : register) {
X509TrustManager customTrustManager = manager.getMytrustManager();
X509Certificate[] issuers = customTrustManager.getAcceptedIssuers();
out.addAll(Arrays.asList(issuers));
}
logger.info("Custom trust managers contain " + (out.size() - defaultCount) + " certficates");
X509Certificate[] arrayOut = new X509Certificate[out.size()];
return out.toArray(arrayOut);
}
#Override
public void checkServerTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
for(CertificateManager certificateManager : register) {
X509TrustManager customTrustManager = certificateManager.getMytrustManager();
try {
customTrustManager.checkServerTrusted(chain, authType);
logger.info("Certificate chain (server) was aproved by custom trust manager");
return;
} catch (Exception e) {
}
}
if (defaultTm != null) {
defaultTm.checkServerTrusted(chain, authType);
logger.info("Certificate chain (server) was aproved by default trust manager");
} else {
logger.info("Certificate chain (server) was rejected");
throw new CertificateException("Can't check server trusted certificate.");
}
}
#Override
public void checkClientTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
try {
if (defaultTm != null) {
defaultTm.checkClientTrusted(chain, authType);
logger.info("Certificate chain (client) was aproved by default trust manager");
} else {
throw new NullPointerException();
}
} catch (Exception e) {
for(CertificateManager certificateManager : register) {
X509TrustManager customTrustManager = certificateManager.getMytrustManager();
try {
customTrustManager.checkClientTrusted(chain, authType);
logger.info("Certificate chain (client) was aproved by custom trust manager");
return;
} catch (Exception e1) {
}
}
logger.info("Certificate chain (client) was rejected");
throw new CertificateException("Can't check client trusted certificate.");
}
}
public SSLSocketFactory getSocketFactory() {
return socketFactory;
}
}
This class made as singleton, because only one defaultSSL context allowed. So, now usage:
CertificateManager certificateManager = new CertificateManager("C:\\myapplication\\mykeystore.jks", "changeit");
String certificatePath = "C:\\myapplication\\public_key_for_your_ssl_service.crt";
try {
certificateManager.addCustomCertificate(certificatePath, "alias_for_public_key_for_your_ssl_service");
} catch (Exception e) {
log.error("Can't add custom certificate");
e.printStackTrace();
}
CustomTrustManager.getInstance().register(certificateManager);
Possibly, it will not work with this settings, because I keep certificate file inside of resource folder, so my path is not absolute. But generally, it work perfectly.
If your repository URL also work on HTTP and the security is not a concern, you can go to settings.xml (often, but not always, located in %USERPROFILE%/.m2) and replace HTTPS with HTTP for <repository> and <pluginRepository> URLs.
For example, this:
<repository>
<snapshots>
<enabled>false</enabled>
</snapshots>
<id>central</id>
<name>libs-release</name>
<url>https://<artifactory>/libs-release</url>
</repository>
should be replaced by this:
<repository>
<snapshots>
<enabled>false</enabled>
</snapshots>
<id>central</id>
<name>libs-release</name>
<url>https://<artifactory>/libs-release</url>
</repository>
I was using my own trust store rather than JRE one by passing arg -Djavax.net.ssl.trustStore=
I was getting this error regardless of certs in truststore. The issue for me was the ordering of of the properties passed on arg line.
When i put -Djavax.net.ssl.trustStore=& -Djavax.net.ssl.trustStorePassword= before -Dspring.config.location= & -jar args i was able to successfully invoke my rest call over https.
I solved this issue on Windows Server 2016 with Java 8, by importing cert from pkcs12 store to cacerts keystore.
Path to pkcs12 store:
C:\Apps\pkcs12.pfx
Path to Java cacerts:
C:\Program Files\Java\jre1.8.0_151\lib\security\cacerts
Path to keytool:
C:\Program Files\Java\jre1.8.0_151\bin
After possitioning to folder with keytool in command prompt (as administrator), command to import cert from pkcs12 to cacerts is as follows:
keytool -v -importkeystore -srckeystore C:\Apps\pkcs12.pfx -srcstoretype PKCS12 -destkeystore "C:\Program Files\Java\jre1.8.0_151\lib\security\cacerts" -deststoretype JKS
You will be prompted to:
1. enter destination keystore password (cacerts pasword, default is "changeit")
2. enter source keystore password (pkcs12 password)
For changes to take effect, restart server machine (or just restart JVM).
I ran into same issue but updating wrong jre on my linux machine. It is highly likely that tomcat is using different jre and your cli prompt is configured to use a different jre.
Make sure you are picking up the correct jre.
Step #1:
ps -ef | grep tomcat
You will see some thing like:
root 29855 1 3 17:54 pts/3 00:00:42 /usr/java/jdk1.7.0_79/jre/bin/java
Now use this:
keytool -import -alias example -keystore /usr/java/jdk1.7.0_79/jre/lib/security/cacerts -file cert.cer
PWD: changeit
*.cer file can be geneated as shown below: (or you can use your own)
openssl x509 -in cert.pem -outform pem -outform der -out cert.cer
If you are still getting this error
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
after executing the below command and restarting the java process
keytool -import -alias certificatealias -keystore C:\Program Files\Java\jre1.8.0_151\lib\security\cacerts -file certificate.cer
Then there is some issue in JDK. Try to install JDK from a trusted provider.
Once you reinstalled it from trusted provider you won't face this issue.
Simple Steps to resolve this Exception, (I did it on java 11),
First you need to Download the public SSL certificate file of the target domain that you are trying to call,for that
Open the target domain website in the chrome (Example: https://amazonservice.domain.com)
Click on the small lock icon before the URL in the browser
Click View certificates
Now Click on Certificate is valid as shown below
Now a new Popup will open as shown below,
Open the details tab
Select the RootCert at the top
Click Export and save the .cer file to your system in a directory
Now you have the public keystore of your target domain which you are trying to call in your java application,now we need to impot that keystore into you jre,for that go to the $JAVA_HOME/bin directory and run the following command
./keytool -importcert -alias someAliasName -keystore {JAVA_HOME}/lib/security/cacerts -file {PathToDownloads}/certificateFileName.cer
It will ask you for password, enter the password if you know, the default password for the certificate is changeit
References
https://confluence.atlassian.com/kb/how-to-import-a-public-ssl-certificate-into-a-jvm-867025849.html
https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-error-779355358.html
In case your host sits behind firewall/proxy , use following command in cmd:
keytool -J-Dhttps.proxyHost=<proxy_hostname> -J-Dhttps.proxyPort=<proxy_port> -printcert -rfc -sslserver <remote_host_name:remote_ssl_port>
Replace <proxy_hostname> and <proxy_port> with the HTTP proxy server that is configured. Replace <remote_host_name:remote_ssl_port> with one of the remote host (basically url) and port having the certification problem.
Take the last certificate content printed and copy it (also copy begin and end certificate). Paste it in text file and give .crt extension to it . Now import this certificate to cacerts using java keytool command and it should work .
keytool -importcert -file <filename>.crt -alias randomaliasname -keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit
1-First of all, import you'r crt file into {JAVA_HOME}/jre/security/cacerts, if you still faced with this exception, change you'r jdk version. For example from jdk1.8.0_17 to jdk1.8.0_231
I was facing this issue with Java 8 but it got solved after upgrading to Java 11
Here normally this kind of exception occurs when there is mismatch in the PATH of trusted certificate. Check the configuration or path where this server certificate is required for secured communication.
I have a Java client trying to access a server with a self-signed certificate.
When I try to Post to the server, I get the following error:
unable to find valid certification path to requested target
Having done some research on the issue, I then did the following.
Saved my servers domain name as a root.cer file.
In my Glassfish server's JRE, I ran this:
keytool -import -alias example -keystore cacerts -file root.cer
To check the cert was added to my cacert successfully, I did this:
keytool -list -v -keystore cacerts
I can see the cert is present.
I then restarted Glassfish and retried the 'post'.
I am still getting the same error.
I have a feeling this is because my Glassfish is not actually reading the cacert file that I have amended but maybe some other one.
Have any of you had this issue and can push me in the right direction?
Unfortunately - it could be many things - and lots of app servers and other java 'wrappers' are prone to play with properties and their 'own' take on keychains and what not. So it may be looking at something totally different.
Short of truss-ing - I'd try:
java -Djavax.net.debug=all -Djavax.net.ssl.trustStore=trustStore ...
to see if that helps. Instead of 'all' one can also set it to 'ssl', key manager and trust manager - which may help in your case. Setting it to 'help' will list something like below on most platforms.
Regardless - do make sure you fully understand the difference between the keystore (in which you have the private key and cert you prove your own identity with) and the trust store (which determines who you trust) - and the fact that your own identity also has a 'chain' of trust to the root - which is separate from any chain to a root you need to figure out 'who' you trust.
all turn on all debugging
ssl turn on ssl debugging
The following can be used with ssl:
record enable per-record tracing
handshake print each handshake message
keygen print key generation data
session print session activity
defaultctx print default SSL initialization
sslctx print SSLContext tracing
sessioncache print session cache tracing
keymanager print key manager tracing
trustmanager print trust manager tracing
pluggability print pluggability tracing
handshake debugging can be widened with:
data hex dump of each handshake message
verbose verbose handshake message printing
record debugging can be widened with:
plaintext hex dump of record plaintext
packet print raw SSL/TLS packets
Source: # See http://download.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#Debug
Here is the solution , follow the below link Step by Step :
http://www.mkyong.com/webservices/jax-ws/suncertpathbuilderexception-unable-to-find-valid-certification-path-to-requested-target/
JAVA FILE : which is missing from the blog
/*
* Copyright 2006 Sun Microsystems, Inc. All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* - Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of Sun Microsystems nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
import java.io.*;
import java.net.URL;
import java.security.*;
import java.security.cert.*;
import javax.net.ssl.*;
public class InstallCert {
public static void main(String[] args) throws Exception {
String host;
int port;
char[] passphrase;
if ((args.length == 1) || (args.length == 2)) {
String[] c = args[0].split(":");
host = c[0];
port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
String p = (args.length == 1) ? "changeit" : args[1];
passphrase = p.toCharArray();
} else {
System.out.println("Usage: java InstallCert <host>[:port] [passphrase]");
return;
}
File file = new File("jssecacerts");
if (file.isFile() == false) {
char SEP = File.separatorChar;
File dir = new File(System.getProperty("java.home") + SEP
+ "lib" + SEP + "security");
file = new File(dir, "jssecacerts");
if (file.isFile() == false) {
file = new File(dir, "cacerts");
}
}
System.out.println("Loading KeyStore " + file + "...");
InputStream in = new FileInputStream(file);
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(in, passphrase);
in.close();
SSLContext context = SSLContext.getInstance("TLS");
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
X509TrustManager defaultTrustManager = (X509TrustManager)tmf.getTrustManagers()[0];
SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
context.init(null, new TrustManager[] {tm}, null);
SSLSocketFactory factory = context.getSocketFactory();
System.out.println("Opening connection to " + host + ":" + port + "...");
SSLSocket socket = (SSLSocket)factory.createSocket(host, port);
socket.setSoTimeout(10000);
try {
System.out.println("Starting SSL handshake...");
socket.startHandshake();
socket.close();
System.out.println();
System.out.println("No errors, certificate is already trusted");
} catch (SSLException e) {
System.out.println();
e.printStackTrace(System.out);
}
X509Certificate[] chain = tm.chain;
if (chain == null) {
System.out.println("Could not obtain server certificate chain");
return;
}
BufferedReader reader =
new BufferedReader(new InputStreamReader(System.in));
System.out.println();
System.out.println("Server sent " + chain.length + " certificate(s):");
System.out.println();
MessageDigest sha1 = MessageDigest.getInstance("SHA1");
MessageDigest md5 = MessageDigest.getInstance("MD5");
for (int i = 0; i < chain.length; i++) {
X509Certificate cert = chain[i];
System.out.println
(" " + (i + 1) + " Subject " + cert.getSubjectDN());
System.out.println(" Issuer " + cert.getIssuerDN());
sha1.update(cert.getEncoded());
System.out.println(" sha1 " + toHexString(sha1.digest()));
md5.update(cert.getEncoded());
System.out.println(" md5 " + toHexString(md5.digest()));
System.out.println();
}
System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
String line = reader.readLine().trim();
int k;
try {
k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
} catch (NumberFormatException e) {
System.out.println("KeyStore not changed");
return;
}
X509Certificate cert = chain[k];
String alias = host + "-" + (k + 1);
ks.setCertificateEntry(alias, cert);
OutputStream out = new FileOutputStream("jssecacerts");
ks.store(out, passphrase);
out.close();
System.out.println();
System.out.println(cert);
System.out.println();
System.out.println
("Added certificate to keystore 'jssecacerts' using alias '"
+ alias + "'");
}
private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();
private static String toHexString(byte[] bytes) {
StringBuilder sb = new StringBuilder(bytes.length * 3);
for (int b : bytes) {
b &= 0xff;
sb.append(HEXDIGITS[b >> 4]);
sb.append(HEXDIGITS[b & 15]);
sb.append(' ');
}
return sb.toString();
}
private static class SavingTrustManager implements X509TrustManager {
private final X509TrustManager tm;
private X509Certificate[] chain;
SavingTrustManager(X509TrustManager tm) {
this.tm = tm;
}
public X509Certificate[] getAcceptedIssuers() {
throw new UnsupportedOperationException();
}
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
throw new UnsupportedOperationException();
}
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
this.chain = chain;
tm.checkServerTrusted(chain, authType);
}
}
}
You need to configuring JSSE System Properties, specifically point to client certificate store.
Via command line:
java -Djavax.net.ssl.trustStore=truststores/client.ts com.progress.Client
or via Java code:
import java.util.Properties;
...
Properties systemProps = System.getProperties();
systemProps.put("javax.net.ssl.keyStorePassword","passwordForKeystore");
systemProps.put("javax.net.ssl.keyStore","pathToKeystore.ks");
systemProps.put("javax.net.ssl.trustStore", "pathToTruststore.ts");
systemProps.put("javax.net.ssl.trustStorePassword","passwordForTrustStore");
System.setProperties(systemProps);
...
For more refer to details on RedHat site.
(repost from my other response)
Use cli utility keytool from java software distribution for import (and trust!) needed certificates
Sample:
From cli change dir to jre\bin
Check keystore (file found in jre\bin directory)
keytool -list -keystore ..\lib\security\cacerts
Password is changeit
Download and save all certificates in chain from needed server.
Add certificates (before need to remove "read-only" attribute on file ..\lib\security\cacerts), run:
keytool -alias REPLACE_TO_ANY_UNIQ_NAME -import -keystore.\lib\security\cacerts -file "r:\root.crt"
accidentally I found such a simple tip.
Other solutions require the use of InstallCert.Java and JDK
source: http://www.java-samples.com/showtutorial.php?tutorialid=210
I had the same problem with sbt.
It tried to fetch dependencies from repo1.maven.org over ssl
but said it was "unable to find valid certification path to requested target url".
so I followed this post
and still failed to verify a connection.
So I read about it and found that the root cert is not enough, as was suggested by the post,so - the thing that worked for me was importing the intermediate CA certificates into the keystore.
I actually added all the certificates in the chain and it worked like a charm.
I came across this error while trying to access a https url from my application which was using self-signed certificate.
What they provide is a .cert file and I was not sure where to put that. I solved it the following way:
keytool location is under JDK/bin folder
Method 1: Add the certificate to default Java Truststore - cacerts:
keytool -import -alias myCert -file C://certificate.cert -keystore C://Program Files//Java//jdk1.8.0_271//jre//lib//security//cacerts
Password: changeit
Method 2:
Create a Trust Store:
keytool -import -alias myCert -file C://certificate.cert -keystore myTrustStore
It gives you the following prompts, which can be filled up as:
Enter keystore password:changeit
Re-enter new password:changeit
Trust this certificate?yes
This will create a myTrustStore file inside a folder where you ran this command.
Copy this "mytrustStore" to a convenient location.
Use the Trust Store:
While you are running your application/server pass these JVM arguments:
-Djavax.net.ssl.trustStore=C://myTrustStore -Djavax.net.ssl.trustStorePassword=changeit
Solution when migrating from JDK 8 to JDK 10
The certificates are really different
JDK 10 has 80, while JDK 8 has 151
JDK 10 has been recently added the certs
https://dzone.com/articles/openjdk-10-now-includes-root-ca-certificates
http://openjdk.java.net/jeps/319
JDK 10
root#c339504909345:/opt/jdk-minimal/jre/lib/security # keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 80 entries
JDK 8
root#c39596768075:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts # keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 151 entries
Steps to fix
I deleted the JDK 10 cert and replaced it with the JDK 8
Since I'm building Docker Images, I could quickly do that using Multi-stage builds
I'm building a minimal JRE using jlink as /opt/jdk/bin/jlink \
--module-path /opt/jdk/jmods...
So, here's the different paths and the sequence of the commands...
# Java 8
COPY --from=marcellodesales-springboot-builder-jdk8 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts /etc/ssl/certs/java/cacerts
# Java 10
RUN rm -f /opt/jdk-minimal/jre/lib/security/cacerts
RUN ln -s /etc/ssl/certs/java/cacerts /opt/jdk-minimal/jre/lib/security/cacerts
I am working on a tutorial for REST web services at www.udemy.com (REST Java Web Services). The example in the tutorial said that in order to have SSL, we must have a folder called "trust_store" in my eclipse "client" project that should contain a "key store" file (we had a "client" project to call the service, and "service" project that contained the REST web service - 2 projects in the same eclipse workspace, one the client, the other the service). To keep things simple, they said to copy "keystore.jks" from the glassfish app server (glassfish\domains\domain1\config\keystore.jks) we are using and put it into this "trust_store" folder that they had me make in the client project. That seems to make sense: the self-signed certs in the server's key_store would correspond to the certs in the client trust_store. Now, doing this, I was getting the error that the original post mentions. I have googled this and read that the error is due to the "keystore.jks" file on the client not containing a trusted/signed certificate, that the certificate it finds is self-signed.
To keep things clear, let me say that as I understand it, the "keystore.jks" contains self-signed certs, and the "cacerts.jks" file contains CA certs (signed by the CA). The "keystore.jks" is the "keystore" and the "cacerts.jks" is the "trust store". As "Bruno", a commenter, says above, "keystore.jks" is local, and "cacerts.jks" is for remote clients.
So, I said to myself, hey, glassfish also has the "cacerts.jks" file, which is glassfish's trust_store file. cacerts.jsk is supposed to contain CA certificates. And apparently I need my trust_store folder to contain a key store file that has at least one CA certificate. So, I tried putting the "cacerts.jks" file in the "trust_store" folder I had made, on my client project, and changing the VM properties to point to "cacerts.jks" instead of "keystore.jks". That got rid of the error. I guess all it needed was a CA cert to work.
This may not be ideal for production, or even for development beyond just getting something to work. For instance you could probably use "keytool" command to add CA certs to the "keystore.jks" file in the client. But anyway hopefully this at least narrows down the possible scenarios that could be going on here to cause the error.
ALSO: my approach seemed to be useful for the client (server cert added to client trust_store), it looks like the comments above to resolve the original post are useful for the server (client cert added to server trust_store). Cheers.
Eclipse project setup:
MyClientProject
src
test
JRE System Library
...
trust_store
---cacerts.jks
---keystore.jks
Snippet from MyClientProject.java file:
static {
// Setup the trustStore location and password
System.setProperty("javax.net.ssl.trustStore","trust_store/cacerts.jks");
// comment out below line
System.setProperty("javax.net.ssl.trustStore","trust_store/keystore.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
//System.setProperty("javax.net.debug", "all");
// for localhost testing only
javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(new javax.net.ssl.HostnameVerifier() {
public boolean verify(String hostname, javax.net.ssl.SSLSession sslSession) {
return hostname.equals("localhost");
}
});
}
Wasted a lot of time on that issue. If you imported the certificate and you can see it listed here.
keytool -list -v -keystore $JAVA_HOME/lib/security/cacerts
Then create the new one, with the following command, replace SITE_NAME, SITE_PORT, CERTIFICATE_NAME and path to save file.
echo -n | openssl s_client -connect SITE_NAME:SITE_PORT \
| openssl x509 > /path/to/save/CERTIFICATE_NAME.cert
In my case, I experienced problem using Keycloak with Spring. After I created certificate with this command and imported to keystore, the problem was solved and it works fine
My problem was that a Cloud Access Security Broker, NetSkope, was installed on my work laptop through a software update. This was altering the certificate chain and I was still not able to connect to the server through my java client after importing the entire chain to my cacerts keystore. I disabled NetSkope and was able to successfully connect.
Check if the file $JAVA_HOME/lib/security/cacerts exists!
In my case it was not a file but a link to /etc/ssl/certs/java/cacerts and also this was a link to itself (WHAT???) so due to it JVM can't find the file.
Solution:
Copy the real cacerts file (you can do it from another JDK) to /etc/ssl/certs/java/ directory and it'll solve your problem :)
note for eclipse / Sts users:
Because eclipse uses its own JRE, you should add certs to its own JRE keystore.
I had this issue until I added certs to Sts's JRE.
SSL log:
`javax.net.ssl|DEBUG|1A|restartedMain|2021-12-06 23:04:00.874` IRST|TrustStoreManager.java:113|trustStore is: D:\sts-4.12.0.RELEASE\plugins\org.eclipse.justj.openjdk.hotspot.jre.full.win32.x86_64_16.0.2.v20210721-1149\jre\lib\security\cacerts
This is the full path: "sts-4.12.0.RELEASE\plugins\org.eclipse.justj.openjdk.hotspot.jre.full.win32.x86_64_16.0.2.v20210721-1149\jre\lib\security\cacerts"
In my case I was facing the problem because in my tomcat process specific keystore was given using
-Djavax.net.ssl.trustStore=/pathtosomeselfsignedstore/truststore.jks
Wheras I was importing the certificate to the cacert of JRE/lib/security and the changes were not reflecting.
Then I did below command where /tmp/cert1.test contains the certificate of the target server
keytool -import -trustcacerts -keystore /pathtosomeselfsignedstore/truststore.jks -storepass password123 -noprompt -alias rapidssl-myserver -file /tmp/cert1.test
We can double check if the certificate import is successful
keytool -list -v -keystore /pathtosomeselfsignedstore/truststore.jks
and see if your taget server is found against alias rapidssl-myserver
In my case, I was getting error connecting to AWS Gov Postgres RDS. There is a separate link for GOV RDS CA certs- https://s3.us-gov-west-1.amazonaws.com/rds-downloads/rds-combined-ca-us-gov-bundle.pem
Add this pem certs to cacerts of java. You can use below script.
------WINDOWDS STEPS-------
Use VSCODE editor and install openssl, keytool plugins
create a dir in C:/rds-ca
place 'cacerts' file and below script file - 'addCerts.sh' inside dir 'rd-ca'
run from vscode:
4.1 cd /c/rds-ca/
4.2 ./addCerts.sh
Copy cacerts to ${JAVA_HOME}/jre/lib/security
Script code:
#!/usr/bin/env sh
OLDDIR="$PWD"
CACERTS_FILE=cacerts
cd /c/rds-ca
echo "Downloading RDS certificates..."
curl https://s3.us-gov-west-1.amazonaws.com/rds-downloads/rds-combined-ca-us-gov-bundle.pem > rds-combined-ca-bundle.pem
csplit -sk rds-combined-ca-bundle.pem "/-BEGIN CERTIFICATE-/" "{$(grep -c 'BEGIN CERTIFICATE' rds-combined-ca-bundle.pem | awk '{print $1 - 2}')}"
for CERT in xx*; do
# extract a human-readable alias from the cert
ALIAS=$(openssl x509 -noout -text -in $CERT |
perl -ne 'next unless /Subject:/; s/.*CN=//; print')
echo "importing $ALIAS"
keytool -import \
-keystore $CACERTS_FILE \
-storepass changeit -noprompt \
-alias "$ALIAS" -file $CERT
done
cd "$OLDDIR"
echo "$NEWDIR"
SSL mode
Happened to me because my config included sslmode=verify-full. You may need to change this to sslmode=require. Or a programatic equivalent of that.
This also applies to using SSL/TLS from applications.
For instance, a Database client in IntelliJ IDEA's. There you need to go to the connection properties, SSH/SSL tab, and set Mode to Require.
More about SSL/TLS modes e.g here: https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/
I created a ubuntu on my windows 10 laptop and I ran into issue when I was trying to load CMAK site download from https://github.com/yahoo/CMAK site. First it gave fatal ssl error.
openssl s_client -showcerts -servername github.com -connect github.com:443 </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > github-com.pem
and use the following command (make sure you put right path for ca-cert)
cat github-com.pem | sudo tee -a /etc/ssl/certs/ca-certificates.crt
Then use the following statement (make sure the path for cert is correct):
git config --global http.sslCAinfo /etc/ssl/certs/ca-certificates.crt
Then I was able to download CMAK but ran into issue when i tried ./sbt clean statement. It was giving a pkix path error. The reason is that I do not have my company issue cert stored in my cacert file.
I have downloaded the company cert (google on how to do it) and followed this article to add my downloaded cert to cacert file. Used sudo update-ca-certificates one more time before ./sbt. It worked for me.
Note: You may have to switch between root and exit when you are following above steps.
This is what I did.
I wanted to develop the app on Java 10, and I had the Eclipse IDE 2020-06.
The cert import solution did not work for me.
So then I installed Java 11 JDK, switched to the latest Eclipse IDE (which runs on Java 11), and made sure that the source-code still gets compiled against the Java 10, by adding these statemements under Maven POM:
<maven.compiler.target>1.10</maven.compiler.target>
<maven.compiler.source>1.10</maven.compiler.source>
<maven.compiler.release>10</maven.compiler.release>
And it works like a charm; no errors.
I'm trying to get tweets using twitter4j library for my java project which uses under the covers java.net.HttpURLConnection (as can be seen in stack trace). On my first run I got an error about certificate sun.security.validator.ValidatorException and sun.security.provider.certpath.SunCertPathBuilderException. Then I added twitter certificate by:
C:\Program Files\Java\jdk1.7.0_45\jre\lib\security>keytool -importcert -trustcacerts -file PathToCert -alias ca_alias -keystore "C:\Program Files\Java\jdk1.7.0_45\jre\lib\security\cacerts"
But without success. Here is the procedure to get tweets:
public static void main(String[] args) throws TwitterException {
ConfigurationBuilder cb = new ConfigurationBuilder();
cb.setDebugEnabled(true)
.setOAuthConsumerKey("myConsumerKey")
.setOAuthConsumerSecret("myConsumerSecret")
.setOAuthAccessToken("myAccessToken")
.setOAuthAccessTokenSecret("myAccessTokenSecret");
TwitterFactory tf = new TwitterFactory(cb.build());
Twitter twitter = tf.getInstance();
try {
Query query = new Query("iphone");
QueryResult result;
result = twitter.search(query);
System.out.println("Total amount of tweets: " + result.getTweets().size());
List<Status> tweets = result.getTweets();
for (Status tweet : tweets) {
System.out.println("#" + tweet.getUser().getScreenName() + " : " + tweet.getText());
}
} catch (TwitterException te) {
te.printStackTrace();
System.out.println("Failed to search tweets: " + te.getMessage());
}
And here is the error:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Relevant discussions can be found on the Internet at:
http://www.google.co.jp/search?q=d35baff5 or
http://www.google.co.jp/search?q=1446302e
TwitterException{exceptionCode=[d35baff5-1446302e 43208640-747fd158 43208640-747fd158 43208640-747fd158], statusCode=-1, message=null, code=-1, retryAfter=-1, rateLimitStatus=null, version=3.0.5}
at twitter4j.internal.http.HttpClientImpl.request(HttpClientImpl.java:177)
at twitter4j.internal.http.HttpClientWrapper.request(HttpClientWrapper.java:61)
at twitter4j.internal.http.HttpClientWrapper.get(HttpClientWrapper.java:81)
at twitter4j.TwitterImpl.get(TwitterImpl.java:1929)
at twitter4j.TwitterImpl.search(TwitterImpl.java:306)
at jku.cc.servlets.TweetsAnalyzer.main(TweetsAnalyzer.java:38)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
at twitter4j.internal.http.HttpResponseImpl.<init>(HttpResponseImpl.java:34)
at twitter4j.internal.http.HttpClientImpl.request(HttpClientImpl.java:141)
... 5 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 20 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 26 more
Failed to search tweets: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Go to URL in your browser:
firefox - click on HTTPS certificate chain (the lock icon right next to URL address). Click "more info" > "security" > "show certificate" > "details" > "export..". Pickup the name and choose file type example.cer
chrome - click on site icon left to address in address bar, select "Certificate" -> "Details" -> "Export" and save in format "Der-encoded binary, single certificate".
Now you have file with keystore and you have to add it to your JVM. Determine location of cacerts files, eg.
C:\Program Files (x86)\Java\jre1.6.0_22\lib\security\cacerts.
Next import the example.cer file into cacerts in command line (may need administrator command prompt):
keytool -import -alias example -keystore "C:\Program Files (x86)\Java\jre1.6.0_22\lib\security\cacerts" -file example.cer
You will be asked for password which default is changeit
Restart your JVM/PC.
source:
http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html
After many hours trying to build cert files to get my Java 6 installation working with the new twitter cert's, I finally stumbled onto an incredibly simple solution buried in a comment in one of the message boards. Just copy the cacerts file from a Java 7 installation and overwrite the one in your Java 6 installation. Probably best to make a backup of the cacerts file first, but then you just copy the new one in and BOOM! it just works.
Note that I actually copied a Windows cacerts file onto a Linux installation and it worked just fine.
The file is located in jre/lib/security/cacerts in both the old and new Java jdk installations.
Hope this saves someone else hours of aggravation.
MY UI approach:
Download keystore explorer from here
Open $JAVA_HOME/jre/lib/security/cacerts
enter PW: changeit (Can be changeme on Mac)
Import your .crt file
CMD-Line:
keytool -importcert -file jetty.crt -alias jetty -keystore $JAVA_HOME/jre/lib/security/cacerts
enter PW: changeit (Can be changeme on Mac)
1. Check the certificate
Try to load the target URL in browser and view the site's certificate (usually it's accessible by the icon with the lock sign. It's on the left or right side of the browser's address bar) whether it's expired or untrusted by other reason.
2. Install latest versions of JRE and JDK
New versions usually come with the updated set of the trusted certificates.
Also if it's possible, uninstall old versions. This will make misconfiguration errors explicit.
3. Check your configuration:
Check where your JAVA_HOME environment variable points to.
Check which java version you use to run the program. In IntelliJ check:
File -> Project Structure... -> Project Settings -> Project -> Project SDK:
File -> Project Structure... -> Platform Settings -> SDKs
4. Copy whole keystore from the new Java version
If you develop under the JDK other than the latest available - try to replace the %JAVA_HOME%/jre/lib/security/cacerts file with the new one from the latest installed JRE (make a backup copy first) as #jeremy-goodell suggests in his answer
5. Add certificate(s) to your keystore
If nothing above solves your problem use keytool to save certificate(s) to the Java's keystore:
keytool -trustcacerts -keystore "%JAVA_HOME%jre\lib\security\cacerts" -storepass changeit -importcert -alias <alias_name> -file <path_to_crt_file>
File with the certificate can be obtained from the browser as #MagGGG suggests in his answer.
Note 1: you may need to repeat this for every certificate in the chain to you site's certificate. Start from the root one.
Note 2: <alias_name> should be unique among the keys in the store or keytool will show an error.
To get list of all the certificates in the store you may run:
keytool -list -trustcacerts -keystore "%JAVA_HOME%jre\lib\security\cacerts" -storepass changeit
In case something goes wrong this will help you to remove certificate from the store:
keytool -delete -alias <alias_name> -keystore "%JAVA_HOME%jre\lib\security\cacerts" -storepass changeit
-Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true
It is used for jump the certificate validation.
Warning!
Only use for development purposes for this is unsecure!
I have stumbled upon this issue which took many hours of research to fix, specially with auto-generated certificates, which unlike Official ones, are quite tricky and Java does not like them that much.
Please check the following link: Solve Problem with certificates in Java
Basically you have to add the certificate from the server to the Java Home certs.
Generate or Get your certificate and configure Tomcat to use it in Servers.xml
Download the Java source code of the class InstallCert and execute it while the server is running, providing the following arguments server[:port]. No password is needed, as the original password works for the Java certs ("changeit").
The Program will connect to the server and Java will throw an exception, it will analyze the certificate provided by the server and allow you to create a jssecerts file inside the directory where you executed the Program (If executed from Eclipse then make sure you configure the Work directory in Run -> Configurations).
Manually copy that file to $JAVA_HOME/jre/lib/security
After following these steps, the connections with the certificate will not generate exceptions anymore within Java.
The following source code is important and it disappeared from (Sun) Oracle blogs, the only page I found it was on the link provided, therefore I am attaching it in the answer for any reference.
/*
* Copyright 2006 Sun Microsystems, Inc. All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* - Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of Sun Microsystems nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/**
* Originally from:
* http://blogs.sun.com/andreas/resource/InstallCert.java
* Use:
* java InstallCert hostname
* Example:
*% java InstallCert ecc.fedora.redhat.com
*/
import javax.net.ssl.*;
import java.io.*;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
/**
* Class used to add the server's certificate to the KeyStore
* with your trusted certificates.
*/
public class InstallCert {
public static void main(String[] args) throws Exception {
String host;
int port;
char[] passphrase;
if ((args.length == 1) || (args.length == 2)) {
String[] c = args[0].split(":");
host = c[0];
port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
String p = (args.length == 1) ? "changeit" : args[1];
passphrase = p.toCharArray();
} else {
System.out.println("Usage: java InstallCert [:port] [passphrase]");
return;
}
File file = new File("jssecacerts");
if (file.isFile() == false) {
char SEP = File.separatorChar;
File dir = new File(System.getProperty("java.home") + SEP
+ "lib" + SEP + "security");
file = new File(dir, "jssecacerts");
if (file.isFile() == false) {
file = new File(dir, "cacerts");
}
}
System.out.println("Loading KeyStore " + file + "...");
InputStream in = new FileInputStream(file);
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(in, passphrase);
in.close();
SSLContext context = SSLContext.getInstance("TLS");
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];
SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
context.init(null, new TrustManager[]{tm}, null);
SSLSocketFactory factory = context.getSocketFactory();
System.out.println("Opening connection to " + host + ":" + port + "...");
SSLSocket socket = (SSLSocket) factory.createSocket(host, port);
socket.setSoTimeout(10000);
try {
System.out.println("Starting SSL handshake...");
socket.startHandshake();
socket.close();
System.out.println();
System.out.println("No errors, certificate is already trusted");
} catch (SSLException e) {
System.out.println();
e.printStackTrace(System.out);
}
X509Certificate[] chain = tm.chain;
if (chain == null) {
System.out.println("Could not obtain server certificate chain");
return;
}
BufferedReader reader =
new BufferedReader(new InputStreamReader(System.in));
System.out.println();
System.out.println("Server sent " + chain.length + " certificate(s):");
System.out.println();
MessageDigest sha1 = MessageDigest.getInstance("SHA1");
MessageDigest md5 = MessageDigest.getInstance("MD5");
for (int i = 0; i < chain.length; i++) {
X509Certificate cert = chain[i];
System.out.println
(" " + (i + 1) + " Subject " + cert.getSubjectDN());
System.out.println(" Issuer " + cert.getIssuerDN());
sha1.update(cert.getEncoded());
System.out.println(" sha1 " + toHexString(sha1.digest()));
md5.update(cert.getEncoded());
System.out.println(" md5 " + toHexString(md5.digest()));
System.out.println();
}
System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
String line = reader.readLine().trim();
int k;
try {
k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
} catch (NumberFormatException e) {
System.out.println("KeyStore not changed");
return;
}
X509Certificate cert = chain[k];
String alias = host + "-" + (k + 1);
ks.setCertificateEntry(alias, cert);
OutputStream out = new FileOutputStream("jssecacerts");
ks.store(out, passphrase);
out.close();
System.out.println();
System.out.println(cert);
System.out.println();
System.out.println
("Added certificate to keystore 'jssecacerts' using alias '"
+ alias + "'");
}
private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();
private static String toHexString(byte[] bytes) {
StringBuilder sb = new StringBuilder(bytes.length * 3);
for (int b : bytes) {
b &= 0xff;
sb.append(HEXDIGITS[b >> 4]);
sb.append(HEXDIGITS[b & 15]);
sb.append(' ');
}
return sb.toString();
}
private static class SavingTrustManager implements X509TrustManager {
private final X509TrustManager tm;
private X509Certificate[] chain;
SavingTrustManager(X509TrustManager tm) {
this.tm = tm;
}
public X509Certificate[] getAcceptedIssuers() {
throw new UnsupportedOperationException();
}
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
throw new UnsupportedOperationException();
}
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
this.chain = chain;
tm.checkServerTrusted(chain, authType);
}
}
}
Mac
The accepted answer does not work for Mac as there is no Export button available in Mac (Chrome or Firefox). Please check this answer to download the certificate and follow the next steps as mentioned below:
List all certificates installed in the keystore:
cd $JAVA_HOME/lib/security
keytool -list -keystore cacerts
Notes:
The default password of the keystore is: changeit.
For Java-8 or lower version use the command, cd $JAVA_HOME/jre/lib/security
Before you import the certificate in the keystore, make a backup of the keystore:
sudo cp cacerts cacerts.bak
Import the downloaded certificate in the keystore:
sudo keytool -importcert -alias youralias -file /path/to/the/downloaded/certificate -keystore cacerts
Check if the certificate is stored in the keystore:
sudo keytool -list -keystore cacerts -alias youralias
If you want to see more detailed information, add the -v flag:
sudo keytool -v -list -keystore cacerts -alias youralias
I wanted to import certificate for smtp.gmail.com. The only solution that worked for me is
Enter command to view this certificate
D:\openssl\bin\openssl.exe s_client -connect smtp.gmail.com:465
Copy and save the lines between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- into a file, gmail.cer
Run
keytool -import -alias smtp.gmail.com -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file C:\Users\Admin\Desktop\gmail.cer
Enter password: changeit
Click "Yes" to import the certificate
Restart Java
Now run the command and you are good to go.
I had a slightly different situation, when both JDK and JRE 1.8.0_112 were present on my system.
I imported the new CA certificates into [JDK_FOLDER]\jre\lib\security\cacerts using the already known command:
keytool -import -trustcacerts -keystore cacerts -alias <new_ca_alias> -file <path_to_ca_cert_file>
Still, I kept getting the same PKIX path building failed error.
I added debug information to the java CLI, by using java -Djavax.net.debug=all ... > debug.log. In the debug.log file, the line that begins with trustStore is: actually pointed to the cacerts store found in [JRE_FOLDER]\lib\security\cacerts.
In my case the solution was to copy the cacerts file used by JDK (which had the new CAs added) over the one used by the JRE and that fixed the issue.
This isn't a Twitter-specific answer, but this is the question that comes up when you search for this error. If your system is receiving this error when connecting to a website that appears to have a valid certificate when viewed in a web browser, that probably means that website has an incomplete certificate chain.
For a brief summary of the problem: Certificate Authorities don't use their Root Certificate to sign just any old certificate. Instead, they (usually) sign intermediate certificates that also have the Certificate Authority flag set (that is, are allowed to sign certificates). Then when you purchase a certificate from a CA, they sign your CSR with one of these intermediate certificates.
Your Java trust store most likely only has the Root Cert, not the intermediate ones.
A misconfigured site might return just their signed cert. Problem: it was signed with an intermediate cert that's not in your trust store. Browsers will handle this problem by downloading or using a cached intermediate certificate; this maximizes website compatibility. Java and tools like OpenSSL, however, won't. And that will cause the error in the question.
You can verify this suspicion by using the Qualys SSL Test. If you run that against a site and it says
This server's certificate chain is incomplete.
then that confirms it. You can also see this by looking at the certification paths and seeing the text Extra Download.
How to fix it: the server administrator needs to configure the web server to return the intermediate certificates as well. For Comodo, for example, this is where the .ca-bundle file comes in handy. For example, in an Apache configuration with mod_ssl, you'd use the SSLCertificateChainFile configuration setting. For nginx, you need to concatenate the intermediate certificates and the signed certificate and use that in the SSL cert configuration. You can find more by searching for "incomplete certificate chain" online.
Issue Background:
I was getting following error when i try to run mvn clean install in my project and through Netbeans IDE clean and build option.
This issue is due to certificate not available when we download through NET beans IDE/through command prompt, but able to download the files through the browser.
Error:
Caused by: org.eclipse.aether.transfer.ArtifactTransferException: Could not transfer artifact com.java.project:product:jar:1.0.32 from/to repo-local (https://url/local-repo): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Resolution:
1. Download the certificate of the Url in question:
Launch IE by "run as adminstrator" (otherwise, we will not be able to download the certificate)
Enter the url in IE-> https://url/local-repo
(In my case this url had a untrusted certificate.)
Download the certificate by clicking on Certificate error -> view certificate
Select Details tab -> copy to file -> next -> select "DER encoded binary X.509 (.CER)
save the certificate in some location, example : c:/user/sheldon/desktop/product.cer
Congrats! you have successfully downloaded the certificate for the site
2. Now install the key store to fix the issue.
Run the keytool command to append the downloaded keystore into the
existing certificate file.
Command: Below command in the bin folder of jdk (JAVA_HOME).
C:\Program Files\Java\jdk1.8.0_141\jre\bin>keytool -importcert -file
"C:/user/sheldon/desktop/product.cer" -alias product -keystore
"C:/Program Files/Java/jdk1.8.0_141/jre/lib/security/cacerts".
You will be prompted to enter password. Enter keystore password:
enter "changeit" again for "Trust this certificate? [no]:", enter
"yes"
Sample command line commands/output:
keytool -importcert -file "C:/Users/sheldon/Desktop/product.cer" -alias product -keystore "C:/Program iles/Java/jdk1.8.0_141/jre/lib/security/cacerts"
Enter keystore password:
Trust this certificate? [no]: yes
Certificate was added to keystore
Contgrats! now you should have got rid of "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException" error in your Netbeans IDE.
This is a solution but in form of my story with this problem:
I was almost dead trying all the solutions given above(for 3 days ) and nothing worked for me.
I lost all hope.
I contacted my security team regarding this because I was behind a proxy and they told me that they had recently updated their security policy.
Later they issued a new "cacerts" file which contains all the certificates.
I removed the cacerts file which is present inside %JAVA_HOME%/jre/lib/security and it solved my problem.
So if you are facing this issue it might be from your network team also like this.
After struggling for half-day, found one more way to solve this problem. I was able to solve this in MAC 10.15.5 ( Catalina). Followed the below steps.
This problem occurs when we are running behind a company proxy , In my case its Zscaler.
Open Key chain access, export CA certificate.(Select CA certificate, File->export items and save with the desired name)
Copy the path of existing cacerts from java folder(/Library/Java/JavaVirtualMachines/jdk1.8.0_251.jdk/Contents/Home/jre/lib/security/cacerts
)
Open terminal and navigate to the Keytool folder (/Library/Java/JavaVirtualMachines/jdk1.8.0_251.jdk/Contents/Home/jre/bin
)
Run the below command.
Keytool -importcert - file (Path to exported cert from the keychainaccess) -alias (give a name) -keystore (Path of existing cacerts from java folder)
sudo Keytool -importcert -file /Users/Desktop/RootCA.cer -alias demo -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_251.jdk/Contents/Home/jre/lib/security/cacerts
It will ask for password , give it as : changeit
It asks for confirmation , Say : yes
After all of these steps, Quit eclipse and terminal start fresh session.
The reason, we get above error is that JDK is bundled with a lot of trusted Certificate Authority(CA) certificates into a file called ‘cacerts’ but this file has no clue of our self-signed certificate. In other words, the cacerts file doesn’t have our self-signed certificate imported and thus doesn’t treat it as a trusted entity and hence it gives the above error.
How to fix the above error
To fix the above error, all we need is to import the self-signed certificate into the cacerts file.
First, locate the cacerts file. We will need to find out the JDK location. If you are running your application through one of the IDE’s like Eclipse or IntelliJ Idea go to project settings and figure out what is the JDK location.
For e.g on a Mac OS typical location of cacerts file would be at this location /Library/Java/JavaVirtualMachines/ {{JDK_version}}/Contents/Home/jre/lib/security
on a Window’s machine it would be under {{Installation_directory}}/{{JDK_version}}/jre/lib/security
Once you have located the cacerts file, now we need to import our self-signed certificate to this cacerts file. Check the last article, if you don’t know how to generate the self-signed certificate correctly.
If you don’t have a certificate file(.crt) and just have a .jks file you can generate a .crt file by using below command. In case you already have a .crt/.pem file then you can ignore below command
##To generate certificate from keystore(.jks file) ####
keytool -export -keystore keystore.jks -alias selfsigned -file selfsigned.crt
Above step will generate a file called selfsigned.crt.Now Import the certificate to cacerts
Now add the certificate to JRE/lib/security/cacerts (trustore)
keytool -importcert -file selfsigned.crt -alias selfsigned -keystore {{cacerts path}}
for e.g
keytool -importcert -file selfsigned.nextgen.crt -alias selfsigned.nextgen -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_171.jdk/Contents/Home/jre/lib/security/cacerts
That’s all, restart your application and it should work fine. If it still doesn’t work and get an SSL handshake exception. It probably means you are using different domain then registered in the certificate.
The Link with detailed explanation and step by step resolution is over here.
I was facing the same issue and get it resolved using the below simple steps:
1) Download the InstallCert.java from google
2) Compile it using javac InstallCert.java
3) Run InstallCert.java using java InstallCert.java, with the hostname and https port, and press “1” when asking for input. It will add the “localhost” as a trusted keystore, and generate a file named “jssecacerts“ as below:
java InstallCert localhost:443
4) copy the jssecacerts into $JAVA_HOME/jre/lib/security folder
Main source to resolve the issue here is:
https://ankurjain26.blogspot.in/2017/11/javaxnetsslsslhandshakeexception.html
Problem is, your eclipse is not able to connect the site which actually it is trying to.
I have faced similar issue and below given solution worked for me.
Turn off any third party internet security application e.g. Zscaler
Sometimes also need to disconnect VPN if you are connected.
Thanks
Adding cacerts did not work for me.
After enabling log with flag -Djavax.net.debug=all, then came to know java reading from jssecacerts.
Import to jssecacerts worked finally.
For me, certificate error popped up because I had fiddler running in background and that messes up with certificate. It acts as a proxy so close that and restart eclipse.
I came across this question while trying to install the Cucumber-Eclipse plugin in Eclipse via their update site. I received the same SunCertPathBuilderException error:
Unable to read repository at http://cucumber.io/cucumber-eclipse/update-site/content.xml.
Unable to read repository at http://cucumber.io/cucumber-eclipse/update-site/content.xml.
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
While some of the other answers are appropriate and helpful for this question's given situation, they were nevertheless unhelpful and misleading for my issue.
In my case, the issue was that the URL provided for their update site is:
https://cucumber.io/cucumber-eclipse/update-site
However when navigating to it via a browser, it redirected to (note the added ".github"):
http://cucumber.github.io/cucumber-eclipse/update-site/
So the resolution is to simply use the redirected version of the update site URL when adding the update site in eclipse.
goals:
use https connections
verify SSL chains
do not deal with cacerts
add certificate in runtime
do not lose certificates from cacerts
How to do it:
define own keystore
put certificate into keystore
redefine SSL default context with our custom class
???
profit
My Keystore wrapper file:
public class CertificateManager {
private final static Logger logger = Logger.getLogger(CertificateManager.class);
private String keyStoreLocation;
private String keyStorePassword;
private X509TrustManager myTrustManager;
private static KeyStore myTrustStore;
public CertificateManager(String keyStoreLocation, String keyStorePassword) throws Exception {
this.keyStoreLocation = keyStoreLocation;
this.keyStorePassword = keyStorePassword;
myTrustStore = createKeyStore(keyStoreLocation, keyStorePassword);
}
public void addCustomCertificate(String certFileName, String certificateAlias)
throws Exception {
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore) null);
Certificate certificate = myTrustStore.getCertificate(certificateAlias);
if (certificate == null) {
logger.info("Certificate not exists");
addCertificate(certFileName, certificateAlias);
} else {
logger.info("Certificate exists");
}
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(myTrustStore);
for (TrustManager tm : tmf.getTrustManagers()) {
if (tm instanceof X509TrustManager) {
setMytrustManager((X509TrustManager) tm);
logger.info("Trust manager found");
break;
}
}
}
private InputStream fullStream(String fname) throws IOException {
ClassLoader classLoader = getClass().getClassLoader();
InputStream resource = classLoader.getResourceAsStream(fname);
try {
if (resource != null) {
DataInputStream dis = new DataInputStream(resource);
byte[] bytes = new byte[dis.available()];
dis.readFully(bytes);
return new ByteArrayInputStream(bytes);
} else {
logger.info("resource not found");
}
} catch (Exception e) {
logger.error("exception in certificate fetching as resource", e);
}
return null;
}
public static KeyStore createKeyStore(String keystore, String pass) throws Exception {
try {
InputStream in = CertificateManager.class.getClass().getResourceAsStream(keystore);
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(in, pass.toCharArray());
logger.info("Keystore was created from resource file");
return keyStore;
} catch (Exception e) {
logger.info("Fail to create keystore from resource file");
}
File file = new File(keystore);
KeyStore keyStore = KeyStore.getInstance("JKS");
if (file.exists()) {
keyStore.load(new FileInputStream(file), pass.toCharArray());
logger.info("Default keystore loaded");
} else {
keyStore.load(null, null);
keyStore.store(new FileOutputStream(file), pass.toCharArray());
logger.info("New keystore created");
}
return keyStore;
}
private void addCertificate(String certFileName, String certificateAlias) throws CertificateException,
IOException, KeyStoreException, NoSuchAlgorithmException {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream certStream = fullStream(certFileName);
Certificate certs = cf.generateCertificate(certStream);
myTrustStore.setCertificateEntry(certificateAlias, certs);
FileOutputStream out = new FileOutputStream(getKeyStoreLocation());
myTrustStore.store(out, getKeyStorePassword().toCharArray());
out.close();
logger.info("Certificate pushed");
}
public String getKeyStoreLocation() {
return keyStoreLocation;
}
public String getKeyStorePassword() {
return keyStorePassword;
}
public X509TrustManager getMytrustManager() {
return myTrustManager;
}
public void setMytrustManager(X509TrustManager myTrustManager) {
this.myTrustManager = myTrustManager;
}
}
This class will create keystore if necessary, and will be able to manage certificates inside of it. Now class for SSL context:
public class CustomTrustManager implements X509TrustManager {
private final static Logger logger = Logger.getLogger(CertificateManager.class);
private static SSLSocketFactory socketFactory;
private static CustomTrustManager instance = new CustomTrustManager();
private static List<CertificateManager> register = new ArrayList<>();
public static CustomTrustManager getInstance() {
return instance;
}
private X509TrustManager defaultTm;
public void register(CertificateManager certificateManager) {
for(CertificateManager manager : register) {
if(manager == certificateManager) {
logger.info("Certificate manager already registered");
return;
}
}
register.add(certificateManager);
logger.info("New Certificate manager registered");
}
private CustomTrustManager() {
try {
String algorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm);
tmf.init((KeyStore) null);
boolean found = false;
for (TrustManager tm : tmf.getTrustManagers()) {
if (tm instanceof X509TrustManager) {
defaultTm = (X509TrustManager) tm;
found = true;
break;
}
}
if(found) {
logger.info("Default trust manager found");
} else {
logger.warn("Default trust manager was not found");
}
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[]{this}, null);
SSLContext.setDefault(sslContext);
socketFactory = sslContext.getSocketFactory();
HttpsURLConnection.setDefaultSSLSocketFactory(socketFactory);
logger.info("Custom trust manager was set");
} catch (NoSuchAlgorithmException | KeyManagementException | KeyStoreException e) {
logger.warn("Custom trust manager can't be set");
e.printStackTrace();
}
}
#Override
public X509Certificate[] getAcceptedIssuers() {
List<X509Certificate> out = new ArrayList<>();
if (defaultTm != null) {
out.addAll(Arrays.asList(defaultTm.getAcceptedIssuers()));
}
int defaultCount = out.size();
logger.info("Default trust manager contain " + defaultCount + " certficates");
for(CertificateManager manager : register) {
X509TrustManager customTrustManager = manager.getMytrustManager();
X509Certificate[] issuers = customTrustManager.getAcceptedIssuers();
out.addAll(Arrays.asList(issuers));
}
logger.info("Custom trust managers contain " + (out.size() - defaultCount) + " certficates");
X509Certificate[] arrayOut = new X509Certificate[out.size()];
return out.toArray(arrayOut);
}
#Override
public void checkServerTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
for(CertificateManager certificateManager : register) {
X509TrustManager customTrustManager = certificateManager.getMytrustManager();
try {
customTrustManager.checkServerTrusted(chain, authType);
logger.info("Certificate chain (server) was aproved by custom trust manager");
return;
} catch (Exception e) {
}
}
if (defaultTm != null) {
defaultTm.checkServerTrusted(chain, authType);
logger.info("Certificate chain (server) was aproved by default trust manager");
} else {
logger.info("Certificate chain (server) was rejected");
throw new CertificateException("Can't check server trusted certificate.");
}
}
#Override
public void checkClientTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
try {
if (defaultTm != null) {
defaultTm.checkClientTrusted(chain, authType);
logger.info("Certificate chain (client) was aproved by default trust manager");
} else {
throw new NullPointerException();
}
} catch (Exception e) {
for(CertificateManager certificateManager : register) {
X509TrustManager customTrustManager = certificateManager.getMytrustManager();
try {
customTrustManager.checkClientTrusted(chain, authType);
logger.info("Certificate chain (client) was aproved by custom trust manager");
return;
} catch (Exception e1) {
}
}
logger.info("Certificate chain (client) was rejected");
throw new CertificateException("Can't check client trusted certificate.");
}
}
public SSLSocketFactory getSocketFactory() {
return socketFactory;
}
}
This class made as singleton, because only one defaultSSL context allowed. So, now usage:
CertificateManager certificateManager = new CertificateManager("C:\\myapplication\\mykeystore.jks", "changeit");
String certificatePath = "C:\\myapplication\\public_key_for_your_ssl_service.crt";
try {
certificateManager.addCustomCertificate(certificatePath, "alias_for_public_key_for_your_ssl_service");
} catch (Exception e) {
log.error("Can't add custom certificate");
e.printStackTrace();
}
CustomTrustManager.getInstance().register(certificateManager);
Possibly, it will not work with this settings, because I keep certificate file inside of resource folder, so my path is not absolute. But generally, it work perfectly.
If your repository URL also work on HTTP and the security is not a concern, you can go to settings.xml (often, but not always, located in %USERPROFILE%/.m2) and replace HTTPS with HTTP for <repository> and <pluginRepository> URLs.
For example, this:
<repository>
<snapshots>
<enabled>false</enabled>
</snapshots>
<id>central</id>
<name>libs-release</name>
<url>https://<artifactory>/libs-release</url>
</repository>
should be replaced by this:
<repository>
<snapshots>
<enabled>false</enabled>
</snapshots>
<id>central</id>
<name>libs-release</name>
<url>https://<artifactory>/libs-release</url>
</repository>
I was using my own trust store rather than JRE one by passing arg -Djavax.net.ssl.trustStore=
I was getting this error regardless of certs in truststore. The issue for me was the ordering of of the properties passed on arg line.
When i put -Djavax.net.ssl.trustStore=& -Djavax.net.ssl.trustStorePassword= before -Dspring.config.location= & -jar args i was able to successfully invoke my rest call over https.
I solved this issue on Windows Server 2016 with Java 8, by importing cert from pkcs12 store to cacerts keystore.
Path to pkcs12 store:
C:\Apps\pkcs12.pfx
Path to Java cacerts:
C:\Program Files\Java\jre1.8.0_151\lib\security\cacerts
Path to keytool:
C:\Program Files\Java\jre1.8.0_151\bin
After possitioning to folder with keytool in command prompt (as administrator), command to import cert from pkcs12 to cacerts is as follows:
keytool -v -importkeystore -srckeystore C:\Apps\pkcs12.pfx -srcstoretype PKCS12 -destkeystore "C:\Program Files\Java\jre1.8.0_151\lib\security\cacerts" -deststoretype JKS
You will be prompted to:
1. enter destination keystore password (cacerts pasword, default is "changeit")
2. enter source keystore password (pkcs12 password)
For changes to take effect, restart server machine (or just restart JVM).
I ran into same issue but updating wrong jre on my linux machine. It is highly likely that tomcat is using different jre and your cli prompt is configured to use a different jre.
Make sure you are picking up the correct jre.
Step #1:
ps -ef | grep tomcat
You will see some thing like:
root 29855 1 3 17:54 pts/3 00:00:42 /usr/java/jdk1.7.0_79/jre/bin/java
Now use this:
keytool -import -alias example -keystore /usr/java/jdk1.7.0_79/jre/lib/security/cacerts -file cert.cer
PWD: changeit
*.cer file can be geneated as shown below: (or you can use your own)
openssl x509 -in cert.pem -outform pem -outform der -out cert.cer
If you are still getting this error
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
after executing the below command and restarting the java process
keytool -import -alias certificatealias -keystore C:\Program Files\Java\jre1.8.0_151\lib\security\cacerts -file certificate.cer
Then there is some issue in JDK. Try to install JDK from a trusted provider.
Once you reinstalled it from trusted provider you won't face this issue.
Simple Steps to resolve this Exception, (I did it on java 11),
First you need to Download the public SSL certificate file of the target domain that you are trying to call,for that
Open the target domain website in the chrome (Example: https://amazonservice.domain.com)
Click on the small lock icon before the URL in the browser
Click View certificates
Now Click on Certificate is valid as shown below
Now a new Popup will open as shown below,
Open the details tab
Select the RootCert at the top
Click Export and save the .cer file to your system in a directory
Now you have the public keystore of your target domain which you are trying to call in your java application,now we need to impot that keystore into you jre,for that go to the $JAVA_HOME/bin directory and run the following command
./keytool -importcert -alias someAliasName -keystore {JAVA_HOME}/lib/security/cacerts -file {PathToDownloads}/certificateFileName.cer
It will ask you for password, enter the password if you know, the default password for the certificate is changeit
References
https://confluence.atlassian.com/kb/how-to-import-a-public-ssl-certificate-into-a-jvm-867025849.html
https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-error-779355358.html
In case your host sits behind firewall/proxy , use following command in cmd:
keytool -J-Dhttps.proxyHost=<proxy_hostname> -J-Dhttps.proxyPort=<proxy_port> -printcert -rfc -sslserver <remote_host_name:remote_ssl_port>
Replace <proxy_hostname> and <proxy_port> with the HTTP proxy server that is configured. Replace <remote_host_name:remote_ssl_port> with one of the remote host (basically url) and port having the certification problem.
Take the last certificate content printed and copy it (also copy begin and end certificate). Paste it in text file and give .crt extension to it . Now import this certificate to cacerts using java keytool command and it should work .
keytool -importcert -file <filename>.crt -alias randomaliasname -keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit
1-First of all, import you'r crt file into {JAVA_HOME}/jre/security/cacerts, if you still faced with this exception, change you'r jdk version. For example from jdk1.8.0_17 to jdk1.8.0_231
I was facing this issue with Java 8 but it got solved after upgrading to Java 11
Here normally this kind of exception occurs when there is mismatch in the PATH of trusted certificate. Check the configuration or path where this server certificate is required for secured communication.
I have a Java client trying to access a server with a self-signed certificate.
When I try to Post to the server, I get the following error:
unable to find valid certification path to requested target
Having done some research on the issue, I then did the following.
Saved my servers domain name as a root.cer file.
In my Glassfish server's JRE, I ran this:
keytool -import -alias example -keystore cacerts -file root.cer
To check the cert was added to my cacert successfully, I did this:
keytool -list -v -keystore cacerts
I can see the cert is present.
I then restarted Glassfish and retried the 'post'.
I am still getting the same error.
I have a feeling this is because my Glassfish is not actually reading the cacert file that I have amended but maybe some other one.
Have any of you had this issue and can push me in the right direction?
Unfortunately - it could be many things - and lots of app servers and other java 'wrappers' are prone to play with properties and their 'own' take on keychains and what not. So it may be looking at something totally different.
Short of truss-ing - I'd try:
java -Djavax.net.debug=all -Djavax.net.ssl.trustStore=trustStore ...
to see if that helps. Instead of 'all' one can also set it to 'ssl', key manager and trust manager - which may help in your case. Setting it to 'help' will list something like below on most platforms.
Regardless - do make sure you fully understand the difference between the keystore (in which you have the private key and cert you prove your own identity with) and the trust store (which determines who you trust) - and the fact that your own identity also has a 'chain' of trust to the root - which is separate from any chain to a root you need to figure out 'who' you trust.
all turn on all debugging
ssl turn on ssl debugging
The following can be used with ssl:
record enable per-record tracing
handshake print each handshake message
keygen print key generation data
session print session activity
defaultctx print default SSL initialization
sslctx print SSLContext tracing
sessioncache print session cache tracing
keymanager print key manager tracing
trustmanager print trust manager tracing
pluggability print pluggability tracing
handshake debugging can be widened with:
data hex dump of each handshake message
verbose verbose handshake message printing
record debugging can be widened with:
plaintext hex dump of record plaintext
packet print raw SSL/TLS packets
Source: # See http://download.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#Debug
Here is the solution , follow the below link Step by Step :
http://www.mkyong.com/webservices/jax-ws/suncertpathbuilderexception-unable-to-find-valid-certification-path-to-requested-target/
JAVA FILE : which is missing from the blog
/*
* Copyright 2006 Sun Microsystems, Inc. All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* - Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of Sun Microsystems nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
import java.io.*;
import java.net.URL;
import java.security.*;
import java.security.cert.*;
import javax.net.ssl.*;
public class InstallCert {
public static void main(String[] args) throws Exception {
String host;
int port;
char[] passphrase;
if ((args.length == 1) || (args.length == 2)) {
String[] c = args[0].split(":");
host = c[0];
port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
String p = (args.length == 1) ? "changeit" : args[1];
passphrase = p.toCharArray();
} else {
System.out.println("Usage: java InstallCert <host>[:port] [passphrase]");
return;
}
File file = new File("jssecacerts");
if (file.isFile() == false) {
char SEP = File.separatorChar;
File dir = new File(System.getProperty("java.home") + SEP
+ "lib" + SEP + "security");
file = new File(dir, "jssecacerts");
if (file.isFile() == false) {
file = new File(dir, "cacerts");
}
}
System.out.println("Loading KeyStore " + file + "...");
InputStream in = new FileInputStream(file);
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(in, passphrase);
in.close();
SSLContext context = SSLContext.getInstance("TLS");
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
X509TrustManager defaultTrustManager = (X509TrustManager)tmf.getTrustManagers()[0];
SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
context.init(null, new TrustManager[] {tm}, null);
SSLSocketFactory factory = context.getSocketFactory();
System.out.println("Opening connection to " + host + ":" + port + "...");
SSLSocket socket = (SSLSocket)factory.createSocket(host, port);
socket.setSoTimeout(10000);
try {
System.out.println("Starting SSL handshake...");
socket.startHandshake();
socket.close();
System.out.println();
System.out.println("No errors, certificate is already trusted");
} catch (SSLException e) {
System.out.println();
e.printStackTrace(System.out);
}
X509Certificate[] chain = tm.chain;
if (chain == null) {
System.out.println("Could not obtain server certificate chain");
return;
}
BufferedReader reader =
new BufferedReader(new InputStreamReader(System.in));
System.out.println();
System.out.println("Server sent " + chain.length + " certificate(s):");
System.out.println();
MessageDigest sha1 = MessageDigest.getInstance("SHA1");
MessageDigest md5 = MessageDigest.getInstance("MD5");
for (int i = 0; i < chain.length; i++) {
X509Certificate cert = chain[i];
System.out.println
(" " + (i + 1) + " Subject " + cert.getSubjectDN());
System.out.println(" Issuer " + cert.getIssuerDN());
sha1.update(cert.getEncoded());
System.out.println(" sha1 " + toHexString(sha1.digest()));
md5.update(cert.getEncoded());
System.out.println(" md5 " + toHexString(md5.digest()));
System.out.println();
}
System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
String line = reader.readLine().trim();
int k;
try {
k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
} catch (NumberFormatException e) {
System.out.println("KeyStore not changed");
return;
}
X509Certificate cert = chain[k];
String alias = host + "-" + (k + 1);
ks.setCertificateEntry(alias, cert);
OutputStream out = new FileOutputStream("jssecacerts");
ks.store(out, passphrase);
out.close();
System.out.println();
System.out.println(cert);
System.out.println();
System.out.println
("Added certificate to keystore 'jssecacerts' using alias '"
+ alias + "'");
}
private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();
private static String toHexString(byte[] bytes) {
StringBuilder sb = new StringBuilder(bytes.length * 3);
for (int b : bytes) {
b &= 0xff;
sb.append(HEXDIGITS[b >> 4]);
sb.append(HEXDIGITS[b & 15]);
sb.append(' ');
}
return sb.toString();
}
private static class SavingTrustManager implements X509TrustManager {
private final X509TrustManager tm;
private X509Certificate[] chain;
SavingTrustManager(X509TrustManager tm) {
this.tm = tm;
}
public X509Certificate[] getAcceptedIssuers() {
throw new UnsupportedOperationException();
}
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
throw new UnsupportedOperationException();
}
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
this.chain = chain;
tm.checkServerTrusted(chain, authType);
}
}
}
You need to configuring JSSE System Properties, specifically point to client certificate store.
Via command line:
java -Djavax.net.ssl.trustStore=truststores/client.ts com.progress.Client
or via Java code:
import java.util.Properties;
...
Properties systemProps = System.getProperties();
systemProps.put("javax.net.ssl.keyStorePassword","passwordForKeystore");
systemProps.put("javax.net.ssl.keyStore","pathToKeystore.ks");
systemProps.put("javax.net.ssl.trustStore", "pathToTruststore.ts");
systemProps.put("javax.net.ssl.trustStorePassword","passwordForTrustStore");
System.setProperties(systemProps);
...
For more refer to details on RedHat site.
(repost from my other response)
Use cli utility keytool from java software distribution for import (and trust!) needed certificates
Sample:
From cli change dir to jre\bin
Check keystore (file found in jre\bin directory)
keytool -list -keystore ..\lib\security\cacerts
Password is changeit
Download and save all certificates in chain from needed server.
Add certificates (before need to remove "read-only" attribute on file ..\lib\security\cacerts), run:
keytool -alias REPLACE_TO_ANY_UNIQ_NAME -import -keystore.\lib\security\cacerts -file "r:\root.crt"
accidentally I found such a simple tip.
Other solutions require the use of InstallCert.Java and JDK
source: http://www.java-samples.com/showtutorial.php?tutorialid=210
I had the same problem with sbt.
It tried to fetch dependencies from repo1.maven.org over ssl
but said it was "unable to find valid certification path to requested target url".
so I followed this post
and still failed to verify a connection.
So I read about it and found that the root cert is not enough, as was suggested by the post,so - the thing that worked for me was importing the intermediate CA certificates into the keystore.
I actually added all the certificates in the chain and it worked like a charm.
I came across this error while trying to access a https url from my application which was using self-signed certificate.
What they provide is a .cert file and I was not sure where to put that. I solved it the following way:
keytool location is under JDK/bin folder
Method 1: Add the certificate to default Java Truststore - cacerts:
keytool -import -alias myCert -file C://certificate.cert -keystore C://Program Files//Java//jdk1.8.0_271//jre//lib//security//cacerts
Password: changeit
Method 2:
Create a Trust Store:
keytool -import -alias myCert -file C://certificate.cert -keystore myTrustStore
It gives you the following prompts, which can be filled up as:
Enter keystore password:changeit
Re-enter new password:changeit
Trust this certificate?yes
This will create a myTrustStore file inside a folder where you ran this command.
Copy this "mytrustStore" to a convenient location.
Use the Trust Store:
While you are running your application/server pass these JVM arguments:
-Djavax.net.ssl.trustStore=C://myTrustStore -Djavax.net.ssl.trustStorePassword=changeit
Solution when migrating from JDK 8 to JDK 10
The certificates are really different
JDK 10 has 80, while JDK 8 has 151
JDK 10 has been recently added the certs
https://dzone.com/articles/openjdk-10-now-includes-root-ca-certificates
http://openjdk.java.net/jeps/319
JDK 10
root#c339504909345:/opt/jdk-minimal/jre/lib/security # keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 80 entries
JDK 8
root#c39596768075:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts # keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 151 entries
Steps to fix
I deleted the JDK 10 cert and replaced it with the JDK 8
Since I'm building Docker Images, I could quickly do that using Multi-stage builds
I'm building a minimal JRE using jlink as /opt/jdk/bin/jlink \
--module-path /opt/jdk/jmods...
So, here's the different paths and the sequence of the commands...
# Java 8
COPY --from=marcellodesales-springboot-builder-jdk8 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts /etc/ssl/certs/java/cacerts
# Java 10
RUN rm -f /opt/jdk-minimal/jre/lib/security/cacerts
RUN ln -s /etc/ssl/certs/java/cacerts /opt/jdk-minimal/jre/lib/security/cacerts
I am working on a tutorial for REST web services at www.udemy.com (REST Java Web Services). The example in the tutorial said that in order to have SSL, we must have a folder called "trust_store" in my eclipse "client" project that should contain a "key store" file (we had a "client" project to call the service, and "service" project that contained the REST web service - 2 projects in the same eclipse workspace, one the client, the other the service). To keep things simple, they said to copy "keystore.jks" from the glassfish app server (glassfish\domains\domain1\config\keystore.jks) we are using and put it into this "trust_store" folder that they had me make in the client project. That seems to make sense: the self-signed certs in the server's key_store would correspond to the certs in the client trust_store. Now, doing this, I was getting the error that the original post mentions. I have googled this and read that the error is due to the "keystore.jks" file on the client not containing a trusted/signed certificate, that the certificate it finds is self-signed.
To keep things clear, let me say that as I understand it, the "keystore.jks" contains self-signed certs, and the "cacerts.jks" file contains CA certs (signed by the CA). The "keystore.jks" is the "keystore" and the "cacerts.jks" is the "trust store". As "Bruno", a commenter, says above, "keystore.jks" is local, and "cacerts.jks" is for remote clients.
So, I said to myself, hey, glassfish also has the "cacerts.jks" file, which is glassfish's trust_store file. cacerts.jsk is supposed to contain CA certificates. And apparently I need my trust_store folder to contain a key store file that has at least one CA certificate. So, I tried putting the "cacerts.jks" file in the "trust_store" folder I had made, on my client project, and changing the VM properties to point to "cacerts.jks" instead of "keystore.jks". That got rid of the error. I guess all it needed was a CA cert to work.
This may not be ideal for production, or even for development beyond just getting something to work. For instance you could probably use "keytool" command to add CA certs to the "keystore.jks" file in the client. But anyway hopefully this at least narrows down the possible scenarios that could be going on here to cause the error.
ALSO: my approach seemed to be useful for the client (server cert added to client trust_store), it looks like the comments above to resolve the original post are useful for the server (client cert added to server trust_store). Cheers.
Eclipse project setup:
MyClientProject
src
test
JRE System Library
...
trust_store
---cacerts.jks
---keystore.jks
Snippet from MyClientProject.java file:
static {
// Setup the trustStore location and password
System.setProperty("javax.net.ssl.trustStore","trust_store/cacerts.jks");
// comment out below line
System.setProperty("javax.net.ssl.trustStore","trust_store/keystore.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
//System.setProperty("javax.net.debug", "all");
// for localhost testing only
javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(new javax.net.ssl.HostnameVerifier() {
public boolean verify(String hostname, javax.net.ssl.SSLSession sslSession) {
return hostname.equals("localhost");
}
});
}
Wasted a lot of time on that issue. If you imported the certificate and you can see it listed here.
keytool -list -v -keystore $JAVA_HOME/lib/security/cacerts
Then create the new one, with the following command, replace SITE_NAME, SITE_PORT, CERTIFICATE_NAME and path to save file.
echo -n | openssl s_client -connect SITE_NAME:SITE_PORT \
| openssl x509 > /path/to/save/CERTIFICATE_NAME.cert
In my case, I experienced problem using Keycloak with Spring. After I created certificate with this command and imported to keystore, the problem was solved and it works fine
My problem was that a Cloud Access Security Broker, NetSkope, was installed on my work laptop through a software update. This was altering the certificate chain and I was still not able to connect to the server through my java client after importing the entire chain to my cacerts keystore. I disabled NetSkope and was able to successfully connect.
Check if the file $JAVA_HOME/lib/security/cacerts exists!
In my case it was not a file but a link to /etc/ssl/certs/java/cacerts and also this was a link to itself (WHAT???) so due to it JVM can't find the file.
Solution:
Copy the real cacerts file (you can do it from another JDK) to /etc/ssl/certs/java/ directory and it'll solve your problem :)
note for eclipse / Sts users:
Because eclipse uses its own JRE, you should add certs to its own JRE keystore.
I had this issue until I added certs to Sts's JRE.
SSL log:
`javax.net.ssl|DEBUG|1A|restartedMain|2021-12-06 23:04:00.874` IRST|TrustStoreManager.java:113|trustStore is: D:\sts-4.12.0.RELEASE\plugins\org.eclipse.justj.openjdk.hotspot.jre.full.win32.x86_64_16.0.2.v20210721-1149\jre\lib\security\cacerts
This is the full path: "sts-4.12.0.RELEASE\plugins\org.eclipse.justj.openjdk.hotspot.jre.full.win32.x86_64_16.0.2.v20210721-1149\jre\lib\security\cacerts"
In my case I was facing the problem because in my tomcat process specific keystore was given using
-Djavax.net.ssl.trustStore=/pathtosomeselfsignedstore/truststore.jks
Wheras I was importing the certificate to the cacert of JRE/lib/security and the changes were not reflecting.
Then I did below command where /tmp/cert1.test contains the certificate of the target server
keytool -import -trustcacerts -keystore /pathtosomeselfsignedstore/truststore.jks -storepass password123 -noprompt -alias rapidssl-myserver -file /tmp/cert1.test
We can double check if the certificate import is successful
keytool -list -v -keystore /pathtosomeselfsignedstore/truststore.jks
and see if your taget server is found against alias rapidssl-myserver
In my case, I was getting error connecting to AWS Gov Postgres RDS. There is a separate link for GOV RDS CA certs- https://s3.us-gov-west-1.amazonaws.com/rds-downloads/rds-combined-ca-us-gov-bundle.pem
Add this pem certs to cacerts of java. You can use below script.
------WINDOWDS STEPS-------
Use VSCODE editor and install openssl, keytool plugins
create a dir in C:/rds-ca
place 'cacerts' file and below script file - 'addCerts.sh' inside dir 'rd-ca'
run from vscode:
4.1 cd /c/rds-ca/
4.2 ./addCerts.sh
Copy cacerts to ${JAVA_HOME}/jre/lib/security
Script code:
#!/usr/bin/env sh
OLDDIR="$PWD"
CACERTS_FILE=cacerts
cd /c/rds-ca
echo "Downloading RDS certificates..."
curl https://s3.us-gov-west-1.amazonaws.com/rds-downloads/rds-combined-ca-us-gov-bundle.pem > rds-combined-ca-bundle.pem
csplit -sk rds-combined-ca-bundle.pem "/-BEGIN CERTIFICATE-/" "{$(grep -c 'BEGIN CERTIFICATE' rds-combined-ca-bundle.pem | awk '{print $1 - 2}')}"
for CERT in xx*; do
# extract a human-readable alias from the cert
ALIAS=$(openssl x509 -noout -text -in $CERT |
perl -ne 'next unless /Subject:/; s/.*CN=//; print')
echo "importing $ALIAS"
keytool -import \
-keystore $CACERTS_FILE \
-storepass changeit -noprompt \
-alias "$ALIAS" -file $CERT
done
cd "$OLDDIR"
echo "$NEWDIR"
SSL mode
Happened to me because my config included sslmode=verify-full. You may need to change this to sslmode=require. Or a programatic equivalent of that.
This also applies to using SSL/TLS from applications.
For instance, a Database client in IntelliJ IDEA's. There you need to go to the connection properties, SSH/SSL tab, and set Mode to Require.
More about SSL/TLS modes e.g here: https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/
I created a ubuntu on my windows 10 laptop and I ran into issue when I was trying to load CMAK site download from https://github.com/yahoo/CMAK site. First it gave fatal ssl error.
openssl s_client -showcerts -servername github.com -connect github.com:443 </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > github-com.pem
and use the following command (make sure you put right path for ca-cert)
cat github-com.pem | sudo tee -a /etc/ssl/certs/ca-certificates.crt
Then use the following statement (make sure the path for cert is correct):
git config --global http.sslCAinfo /etc/ssl/certs/ca-certificates.crt
Then I was able to download CMAK but ran into issue when i tried ./sbt clean statement. It was giving a pkix path error. The reason is that I do not have my company issue cert stored in my cacert file.
I have downloaded the company cert (google on how to do it) and followed this article to add my downloaded cert to cacert file. Used sudo update-ca-certificates one more time before ./sbt. It worked for me.
Note: You may have to switch between root and exit when you are following above steps.
This is what I did.
I wanted to develop the app on Java 10, and I had the Eclipse IDE 2020-06.
The cert import solution did not work for me.
So then I installed Java 11 JDK, switched to the latest Eclipse IDE (which runs on Java 11), and made sure that the source-code still gets compiled against the Java 10, by adding these statemements under Maven POM:
<maven.compiler.target>1.10</maven.compiler.target>
<maven.compiler.source>1.10</maven.compiler.source>
<maven.compiler.release>10</maven.compiler.release>
And it works like a charm; no errors.