How to Fix javax.net.ssl.SSLHandshakeException: unable to find valid certification path to requested target in Java

Hello guys, this is one of the common errors in a client-server application. The big problem in solving this error is not the error but the knowledge of how client-server SSL handshake works. I have blogged about that before and if you have read that you know that in order to connect to any website or server (like LDAP Server) using SSL, you need to have certificates (public keys) to validate the certificates sends by the website you are connecting. If you don't have the root certificate or public key, which is required to validate the certificate presented by the server in your JRE truststore then Java will throw this error.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
 PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
 unable to find valid certification path to requested target

In order to solve this error, just add the root certificate required to connect to the server in question into the truststore of your application's JRE.

If you don't know, JVM uses two files, keystore and truststore to store the SSL certificates. keystore is generally used by the server and contains both private and public keys, while truststore is generally used on the client-side and contains the public key of the server.

One more challenge here could be for beginners to find which version of JRE their application is using and what is the PATH for it is. This is very important because you need to ascertain which trust store your application is using? Is it using default truststore coming with JRE? or it has its own truststore created?

It's possible to instruct JVM to pick an alternative truststore by using some JVM arguments. For example, if you want your Tomcat to pick certificates from a specific truststore, you can add the following lines into CATALINA startup files:
 -Djavax.net.ssl.keyStore=%CLIENT_CERT% 
  -Djavax.net.ssl.keyStorePassword=changeit 
  -Djavax.net.ssl.trustStore=%CLIENT_CERT% 
  -Djavax.net.ssl.trustStorePassword=changeit


Once you ascertain that which JRE and truststore your Java application is using, the next step is to upgrade the root certificate on the truststore. See these free Java Programming courses to learn more about truststore and keystore and other security features of Java.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


how do you get the root certificate? Well, your Java cacerts which come along JRE already contain the root certificate for most of CA (Certificate authority) which is acting in the public domain like Verisign, Thwaite, if you are internally connecting to one of the servers, you need the root certificate issued by your company. You can talk to your SSL admins or Infra team about that.

Once you got the root certificate, generally a file with something abc.cer, you can use the keytool command to add that certificate into the truststore used by your application like cacerts from JRE/security/lib folder.

You can use the following keytool command to add certificates into keystore/truststore :

$ keytool -import -alias -ca -file /tmp/root_cert.cer -keystore cacerts

enter the password as changeit, this default password for cacerts from JRE.

Now, your issue should be sorted.

Though, you need to remember to replace the certificate in your truststore when the server does the certificate upgrade. For example, Recently, one of the users reported that their company migrated from SHA-1 certificate to SHA-2 certificate and it started seeing this error until he added the SHA-2 certificates on the trust store of his application.


Other Java error and exception guides you may like
  • How to fix "illegal start of expression" compile time error in Java? (tutorial)
  • 7 Common Socket Errors and Exception in Java Application (article)
  • How to solve java.lang.ClassNotFoundException: com.mysql.jdbc.Driver error? (hint)
  • How to fix Caused By: java.lang.NoClassDefFoundError: org/apache/log4j/Logger (solution)
  • How to fix "Error: Could not find or load main class" in Eclipse? (guide)
  • 10 common reasons of java.lang.NumberFormatException in Java? (tutorial)
  • How to avoid ConcurrentModificationException in Java? (tutorial)
  • How to connect to MySQL database in Java? (tutorial)
  • java.sql.BatchUpdateException: Error converting data type float to numeric - Java + SQL Server  (solution)
  • How to solve "could not create the Java virtual machine" error in Java? (solution)
  • java.lang.ClassNotFoundException: org.apache.commons.logging.LogFactory error (solution)
  • Cause and solution of "class, interface, or enum expected" compiler error in Java? (fix)
  • java.sql.SQLException: No suitable driver found for 'jdbc:mysql://localhost:3306/mysql [Solution]
  • How to solve java.lang.classnotfoundexception oracle.jdbc.driver.oracledriver? (solution)
  • How to fix 'javac' is not recognized as an internal or external command (solution)
  • How to solve "variable might not have initialized" compile time error in Java? (answer)
  • java.sql.SQLServerException: The index 58 is out of range - JDBC (solution)
  • How to solve java.sql.BatchUpdateException: String or binary data would be truncated (guide)
  • Fixing java.lang.unsupportedclassversionerror unsupported major.minor version 50.0 (solution)
  • How to solve java.lang.OutOfMemoryError: Java Heap Space in Eclipse, Tomcat? (solution)
  • 25 Exception Interview Questions for Java Programmers (list)
  • Common reasons of java.lang.ArrayIndexOutOfBoundsException in Java? (solution)
  • java.lang.ClassNotFoundException : org.Springframework.Web.Context.ContextLoaderListener (solution)

Thanks for reading this article so far. If you like this article then please share it with your friends and colleagues. 

6 comments:

  1. Thanks for for post.. Issue has been resolved.

    ReplyDelete
  2. I got keystore.jks and trustore.jks
    And I dont know what alias I have used when I created the certificate
    I got one more file .p12 and its key but I dont have much knowledge on ssl and https so please redirect me to some good sources.
    thank you.

    ReplyDelete
  3. Thanks for your help.

    ReplyDelete
  4. these are everywhere and they dont help this was a waste of ur time to type

    ReplyDelete
  5. I was scrolling the web for an explanation as such and thankfully found yours. Thank you

    ReplyDelete

Feel free to comment, ask questions if you have any doubt.