Home > HowTo, Linux > unable to find valid certification path to requested target

unable to find valid certification path to requested target

January 19th, 2011 Leave a comment Go to comments

PROBLEM:

unable to find valid certification path to requested target

Erro server.log (java/glassfish):
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:325)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:219)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1053)
… 66 more

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
To install a certificate into java: ( reference )

# java InstallCert www.experianmarketing.com.br
Loading KeyStore jssecacerts…
Opening connection to www.experianmarketing.com.br:443…
Starting SSL handshake…

No errors, certificate is already trusted

1 Subject CN=wzxzxcrasa S.A., L=Sao Paulo, ST=SP, C=BR
Issuer  CN=SerasaACGlobal, OU=Serasa Autoridade Certificadora Global, O=Serasa, C=BR
sha1    2c 21 f4 f3sd0 65 b0 a9 6c 83 dd d6 8c 06 8d 1d dd ca
md5     6c 60 7e 3c 6f 98 dd 59 4a 92 9e b2 42 72 07 3b

2 Subject CN=SerasaACGlobal, OU=Serasa Autoridade Certificadora Global, O=Serasa, C=BR
Issuer  C=BE, O=GlobalSign nv-sa, OU=RootSign Partners CA, CN=GlobalSign RootSign Partners CA
sha1    73 67 74 c2 ed 1d e0 31 a3 cf f8 1d d5 bb 26 4f cd d1 08 6e
md5     f7 36 92 e4 b0 23 cb 5c f2 fd ed fb 26 3c 49 74

Keytool manual page

Importing manually the .cer or .crt files:
keytool -importcert -keystore “/usr/jdk1.6.0_21/jre/lib/security/jssecacerts” -trustcacerts -alias “GlobalSign RootSign Partners CA” -file gspartner2008.cer

Note:
My  $JAVA_HOME$: “/usr/jdk1.6.0_21/” fix it for your enviroment echo $JAVA_HOME$
Another place could be: “/usr/jdk1.6.0_21/jre/lib/security/cacerts”

Glassfish uses cacerts.jks and keystroke.jks
/usr/local/GlassFishESBv22/glassfish/domains/domain1/config/cacerts.jks
/usr/local/GlassFishESBv22/glassfish/domains/domain1/config/keystore.jks
/usr/local/GlassFishESBv22/glassfish/domains/domain1/jbi/components/sun-rest-binding/install_root/keystore.jks

To List current installed Certificates do:
keytool -list -keystore /usr/local/GlassFishESBv22/glassfish/domains/domain1/config/keystore.jks
password: changeit

To delete certificates:
keytool -delete -alias “www.experianmarketing.com.br” -keystore “/usr/local/GlassFishESBv22/glassfish/domains/domain1/config/cacerts.jks” -storepass changeit

I was still getting errors like:
javax.net.ssl.SSLException: HelloRequest followed by an unexpected  handshake message
java.lang.reflect.InvocationTargetException

Solution:

After trying all things and still not being able to make it work I ended up using a workaround.
Disabling all SSL errors

The command-line version is working again when adding :
java.lang.System.setProperty(“sun.security.ssl.allowUnsafeRenegotiation”, “true”);

Or in JVM option add:

“-Dsun.security.ssl.allowUnsafeRenegotiation=true”

Great reference

  1. No comments yet.
  1. No trackbacks yet.
CAPTCHA Image
*
What is 2 + 6 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)