I have a web service that had been working fine while we were on Java 7 version 75. We recently updated to Java 8 and now we are getting this error on the web service: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This is the full dump:
Charset [empty string]
ErrorDetail I/O Exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Filecontent Connection Failure
Header [empty string]
Mimetype Unable to determine MIME type of file.
Responseheader ws dump - struct [empty]
Statuscode Connection Failure. Status code unavailable.
Text YES
We have updated the certificates and the certificates have been re-imported in the correct key store and verified it's there using keytool -list and restarted, but still get the authentication error.
I see this is usually fixed by re-installing the certificate but that hasn't worked. Many suggestions to fix this error recommended installing Certman in CF Admin. We installed it and imported the certificates, but still the same error. Our workaround is rolling back to Java 7 version 75 so this web service works, but we need to update to the latest version of Java soon so our charts can work again and obviously for security reasons. Any suggestions?
Stats:
Java Dev Kit 8 v 60,
ColdFusion 10 hotfix 17,
Windows Server 8
****UPDATE*****
After reading Sean Coyne's answer below I talked to our Network Admin's. They had already copied the tools.jar file into the lib folder. They deleted the stubs folder and restarted the CF server, but we still got the same error. I visited with them and they showed me that the certificates were indeed in the keystore.
As described here: https://helpx.adobe.com/coldfusion/kb/coldfusion-mx-troubleshooting-scheduled-tasks.html
We added some debugging to jvim.config as I ran the web service. The debugging pointed out that the handshake with one of the certificates was invalid. What the heck!
I asked if we could see the certs in the Certificate Manager in CF Admin. It was NOT installed after all. So the NA installed the CertMan add on in CF Admin. After importing the certificates using CertMan and restarting the CF server, the web service worked after that.
I think doing what Sean Coyne suggested below AND making sure CertMan was installed so we could import the certificates was what fixed it for us.
You may need to delete the stubs. These are in [cfroot]/cfusion/stubs. Just stop CF, delete all the files in that directory and start CF again.
Also, you will want to copy the tools.jar file from your JDK installation into the lib folder at [cfroot]/cfusion/lib/tools.jar. Backup the existing tools.jar file first then copy from [jdk root]/lib/tools.jar.
Reference: http://blogs.coldfusion.com/post.cfm/coldfusion-10-and-11-support-with-java-8
Related
This question already has answers here:
How to skip SSL certificate verification with karate?
(4 answers)
"PKIX path building failed" and "unable to find valid certification path to requested target"
(53 answers)
Closed 1 year ago.
I'm trying to mock okta(using okta-jwt-helper - v0.5.0), here I need url to be like https://someUrl.com, thus I'm using karate-netty FeatureServer with ssl true. This is how I'm starting server and stopping server in #BeforeClass & #AfterClass respectively, in runner,
private static FeatureServer oktaServer;
oktaServer = FeatureServer.start(oktaMockFile, 3010, true, null);
oktaServer.stop();
Server is started and cert.pem and key.pem files are generated in target folder. But when I'm trying to reach https://localhost:3010/somePath , I'm getting this error
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I tried using both karate 0.9.3 & 0.9.6 and I'm using java8, jdk1.8.0_261.jdk and maven3.
Solution already tried:
I tried adding adding cert.pem to keytool but that didn't help as certificates would be replaced and generated by karate after every mvn clean install.
I tried adding local_policy.jar and US_export_policy.jar to $JAVA_HOME/jre/lib/security/ but that too didn't help.
I also tried adding http-client and http-core dependencies as suggested to avoid dependency conflicts.
Can someone help me out what am I doing wrong or may is there any setup required to be done to use FeatureServer with ssl boolean true?
javax.net.ssl.SSLHandshakeException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
As per the above exception, server identity is not getting validated by the client. It happens when you don't have the server root and intermediates certificates in the underlying client's truststore which going to be used in order to verify the server identity.
Following is the case when your program is using the java truststore.
By default, java use the cacerts truststore which can be usually found on
JAVA_HOME/jre/lib/security/cacerts this path on windows OS.
The default password to access that truststore is changeit. Get the root and intermediates certificates and add them into the store by using utilities such as keytool.
I try crawling seed urls that are http/https
but for few https urls i get below error
FetcherThread INFO api.HttpRobotRulesParser (168) - Couldn't get robots.txt for https://corporate.douglas.de/investors/?lang=en: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
on other hand https://www.integrafin.co.uk/annual-reports/ is crawled perfectly fine
below is my configuration
plugin.includes
protocol-http|urlfilter-regex|parse-(html|tika|text)|index-(basic|anchor|more|static|links)|indexer-solr|scoring-opic|urlnormalizer-(pass|regex|basic)|urlmeta|language-identifier
I think you need to put the certificate of server https://corporate.douglas.de/investors/?lang=en in the "cacerts" file of the JVM that runs your code.
First, download the certificate using Chrome:
Then, click in "details" tab and then in button "Copy to file"
In the wizard, select the option "DER binary.... (.CER)"
Now, you can use the tool "portecle" (http://portecle.sourceforge.net/) to add the certificate to the cacert file in your JVM followin this steps http://portecle.sourceforge.net/import-trusted-cert.html
Hope works for you.
You could try using a more recent version of Nutch, or compile directly from master, and then give a try to the http.tls.certificates.check setting, from (https://github.com/apache/nutch/pull/388). This will essentially allow you to skip the TLS/SSL verification.
This may look like a duplicate but it is not.
I added the certificate from the ssl endpoint to my cacerts file. I verified its added. I restarted the jvm and my computer, but I still get unable to find valid certification path to requested target exception.
In addition to adding the certificate from the ssl endpoint the following helped me fix the issue. I added this system property in my code and it helped me navigate to the required secured endpoint.
System.setProperty("javax.net.ssl.trustStore", "path/to/cacerts");
However the above one works for local, while doing it for prod deployment I moved the cacerts to my project and change the path to cacerts to the one in my project. This way it worked for both remote and local end points.
Azure java SDK gives ->
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
ApplicationTokenCredentials credentials = new ApplicationTokenCredentials(options.getClientId(), options.getTenantId(), options.getClientSecret(), AzureEnvironment.AZURE);
subscriptionIds.forEach((subscriptionId)->{
Azure azure = Azure.authenticate(credentials).withSubscription(subscriptionId);
ResourceGroups resourceGroups = azure.resourceGroups();
for(ResourceGroup resourceGroup : resourceGroups.list()){
for(VirtualMachine virtualMachine : azure.virtualMachines().listByGroup(resourceGroup.name())){
logger.info(virtualMachine.name());
}
}
});
I get this error when for(ResourceGroup resourceGroup : resourceGroups.list()) is executed.
Looking on the net, i added the certificate of management.azure.com in keystore, but that also didn't worked.
Looks like azure establish the connection that's why ResourceGroups are not empty. But don't know why it gives the error later.
Just per my experience, please make sure that the Java security policy files for Unlimited Cryptography are added for that specific version of Java. If not, please follow the steps below to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files, which are required to use PGP encryption and may be required by some connectors.
Download the files and instructions for Java 7 or Java 8.
Locate the <JAVA_HOME>\jre\lib\security directory for the Java instance that the Atom is using. For example, this location might be: C:\Program Files\Java\jre8\lib\security.
Remove the following .jar files from this directory: local_policy.jar and US_export_policy.jar.
Replace these two files with the .jar files included in the JCE Unlimited Strength Jurisdiction Policy Files download.
Try to run your code again for checking the issue whether still exists.
I have a simple java application which is running in my local machine which connects to some URLs. When I connect to https urls I get the Error "Unable to find certification path ..". Following the steps mentioned in other websites I exported the certificate from my browser saved it and then imported it into my cacerts keystore using the keytool command.
This worked initially for some remote website URLs. But when the URL began with "https:localhost:8083" I am still getting the same exception! Even though I followed all the steps.
Any help?