javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Hello guys, this is one of the common error in a client-server application. The big problem in solving this error is not the error but the knowledge of how client-server SSL handshake works. I have blogged about that before and if you have read that you know that in order to connect to any website or server (like LDAP Server) using SSL, you need to have certificates (public keys) to validate the certificates sends by the website you are connecting. If you don't have the root certificate or public key, which is required to validate the certificate presented by the server in your JRE truststore then Java will throw this error.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

In order to solve this error, just add the root certificate required to connect to the server in question into truststore of your application's JRE.

If you don't know, JVM uses two files, keystore and truststore to store the SSL certificates. keystore is generally used by the server and it contains both private and public key, while truststore is generally used on client-side and contains the public key of the server.

One more challenge here could be for beginners to find which version of JRE their application is using and what is the PATH for it. This is very important because you need to ascertain which trust store your application is using? Is it using default truststore coming with JRE? or it has its own truststore created?

It's possible to instruct JVM to pick an alternative truststore by using some JVM arguments. For example, if you want your Tomcat to pick certificates from a specific truststore, you can add the following lines into CATALINA startup files:

  -Djavax.net.ssl.keyStore=%CLIENT_CERT% 
  -Djavax.net.ssl.keyStorePassword=changeit 
  -Djavax.net.ssl.trustStore=%CLIENT_CERT% 
  -Djavax.net.ssl.trustStorePassword=changeit


Once you ascertain that which JRE and truststore your Java application is using, the next step is to upgrade the root certificate on the truststore. See The Complete Java Masterclass to learn more about truststore and keystore and other security features of Java.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


how do you get the root certificate? Well, your Java cacerts which comes along JRE already contains the root certificate for most of CA (Certificate authority) which is acting in public domain like Verisign, Thwate, if you are internally connecting to one of the servers, you need the root certificate issued by your company. You can talk to your SSL admins or Infra team for that.

Once you got the root certificate, generally a file with something abc.cer, you can use the keytool command to add that certificate into truststore used by your application like cacerts from JRE/security/lib folder.

You can use the following keytool command to add certificates into keystore/truststore :

$ keytool -import -alias -ca -file /tmp/root_cert.cer -keystore cacerts

enter the password as changeit, this default password for cacerts from JRE.

Now, your issue should be sorted.

Though, you need to remember to replace the certificate in your truststore when the server does the certificate upgrade. For example, Recently, one of user reported that their company migrated from SHA-1 certificate to SHA-2 certificate and it started seeing this error until he added the SHA-2 certificates on the trust store of his application.

Further Learning
Complete Java Masterclass
Java Fundamentals: The Java Language
Java In-Depth: Become a Complete Java Engineer!


Other Java error and exception guides you may like
  • How to fix "illegal start of expression" compile time error in Java? (tutorial)
  • 7 Common Socket Errors and Exception in Java Application (article)
  • How to solve java.lang.ClassNotFoundException: com.mysql.jdbc.Driver error? (hint)
  • How to fix Caused By: java.lang.NoClassDefFoundError: org/apache/log4j/Logger (solution)
  • How to fix "Error: Could not find or load main class" in Eclipse? (guide)
  • 10 common reasons of java.lang.NumberFormatException in Java? (tutorial)
  • How to avoid ConcurrentModificationException in Java? (tutorial)
  • How to connect to MySQL database in Java? (tutorial)
  • java.sql.BatchUpdateException: Error converting data type float to numeric - Java + SQL Server  (solution)
  • How to solve "could not create the Java virtual machine" error in Java? (solution)
  • java.lang.ClassNotFoundException: org.apache.commons.logging.LogFactory error (solution)
  • Cause and solution of "class, interface, or enum expected" compiler error in Java? (fix)
  • java.sql.SQLException: No suitable driver found for 'jdbc:mysql://localhost:3306/mysql [Solution]
  • How to solve java.lang.classnotfoundexception oracle.jdbc.driver.oracledriver? (solution)
  • How to fix 'javac' is not recognized as an internal or external command (solution)
  • How to solve "variable might not have initialized" compile time error in Java? (answer)
  • java.sql.SQLServerException: The index 58 is out of range - JDBC (solution)
  • How to solve java.sql.BatchUpdateException: String or binary data would be truncated (guide)
  • Fixing java.lang.unsupportedclassversionerror unsupported major.minor version 50.0 (solution)
  • How to solve java.lang.OutOfMemoryError: Java Heap Space in Eclipse, Tomcat? (solution)
  • 25 Exception Interview Questions for Java Programmers (list)
  • Common reasons of java.lang.ArrayIndexOutOfBoundsException in Java? (solution)
  • java.lang.ClassNotFoundException : org.Springframework.Web.Context.ContextLoaderListener (solution)

Thanks for reading this article so far. If you like this article then please share with your friends and colleagues. 

P. S. - If you want to learn more about Security in Java, I suggest you check the Understanding the Java Virtual Machine: Security course on Pluralsight.

No comments:

Post a Comment