sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The Problem

There are plenty of posts on this problem throughout the Internet.  However, I found very few of them useful.  When you come across this exception you really need to understand the problem in order to implement a solution.

If you’re seeing this error then you’re probably running a Java web server such as JBoss, WebLogic, or others.

In my experience the problem is this:

Your application is trying to connect to a url via https (i.e SSL).

Even though the site you’re trying to connect to has an SSL certificate, the certificate authority (CA) is not recognized by  Java.  In general, Java recognizes popular CAs such as VeriSign and GoDaddy which can be validated by running the keytool utility on the cacerts file which is located in %JAVA_HOME%\lib\security.

What should developers do?

You need to determine the CA of the SSL certificate.  You can typically do this by going to the site via a web browser and clicking on the lock button.  Then you need to navigate to the CA’s website and download the corresponding Root certificate (typically a .crt file).

Then you need to run the keytool utility to add the certificate to the cacerts file.  Make a note to use a unique alias.

Here is an example:

keytool -import -alias gdroot-g2 -file gdroot-g2.crt -keystore cacerts -trustcacerts

Restart the web server and you should be fine.

What should developers not do?

There are many posts out there that tell you how to implement a trust manager and/or a custom hostname verifier to get around this problem.  Please do not do that.  You really want to fix this problem correctly, especially if it is going in a production environment.

Final Thoughts

It is tempting to implement a quick fix and add a TODO.  We all know what that means.  Days, weeks, months, maybe years go by and the TODO is still there.

Advertisements