Resolving Javax.Net.Ssl.Sslhandshakeexception: Sun.Security.Validator.Validatorexception: Pkix Path Building Failed Error

Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?

You need to add the certificate for App2 to the truststore file of the used JVM located at $JAVA_HOME\lib\security\cacerts.

First you can check if your certificate is already in the truststore by running the following command:
keytool -list -keystore "$JAVA_HOME/jre/lib/security/cacerts" (you don't need to provide a password)

If your certificate is missing, you can get it by downloading it with your browser and add it to the truststore with the following command:

keytool -import -noprompt -trustcacerts -alias <AliasName> -file   <certificate> -keystore <KeystoreFile> -storepass <Password>

Example:

keytool -import -noprompt -trustcacerts -alias myFancyAlias -file /path/to/my/cert/myCert.cer -keystore /path/to/my/jdk/jre/lib/security/cacerts/keystore.jks -storepass changeit

After import you can run the first command again to check if your certificate was added.

Sun/Oracle information can be found here.

PKIX path building failed and unable to find valid certification path to requested target

1. Go to URL in your browser:

• firefox - click on HTTPS certificate chain (the lock icon right next to URL address). Click "more info" > "security" > "show certificate" > "details" > "export..". Pickup the name and choose file type example.cer
• chrome - click on site icon left to address in address bar, select "Certificate" -> "Details" -> "Export" and save in format "Der-encoded binary, single certificate".

2. Now you have file with keystore and you have to add it to your JVM. Determine location of cacerts files, eg.
   C:\Program Files (x86)\Java\jre1.6.0_22\lib\security\cacerts.

3. Next import the example.cer file into cacerts in command line (may need administrator command prompt):

keytool -import -alias example -keystore "C:\Program Files (x86)\Java\jre1.6.0_22\lib\security\cacerts" -file example.cer

You will be asked for password which default is changeit

Restart your JVM/PC.

source:
http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed

The SSL certificate isn't trusted by Java. The certificate may be self-signed, or it may be signed by a CA (Certificate Authority) whose root certificate is not in the Java certificate store.

Add the code to trust the certificate provided by host. Import the certificate before consuming the URL.

Just add below code to trust the certificate

TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
        return null;
    }
    public void checkClientTrusted(
        java.security.cert.X509Certificate[] certs, String authType) {
    }
    public void checkServerTrusted(
        java.security.cert.X509Certificate[] certs, String authType) {
    }
}};

   try {
    SSLContext sc = SSLContext.getInstance("SSL");
    sc.init(null, trustAllCerts, new java.security.SecureRandom());
    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
    } catch (Exception e) {
    }

// Add your code below

javax.net.ssl.SSLHandshakeException:PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilder
Exception:

This is not a spring boot related issue. I figured out the issue was with JDK. Default Oracle version installed in the system added wrong JRE path to environment variable. I have pointed it to correct JDK version and imported certs there. That resolved the issue. Thank you @Jens for the helpful input.

How to ignore PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilder
Exception?

If you want to ignore the certificate all together then take a look at the answer here: Ignore self-signed ssl cert using Jersey Client

Although this will make your app vulnerable to man-in-the-middle attacks.

Or, try adding the cert to your java store as a trusted cert.
This site may be helpful.
http://blog.icodejava.com/tag/get-public-key-of-ssl-certificate-in-java/

Here's another thread showing how to add a cert to your store.
Java SSL connect, add server cert to keystore programmatically

The key is:

KeyStore.Entry newEntry = new KeyStore.TrustedCertificateEntry(someCert);
ks.setEntry("someAlias", newEntry, null);

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Flutter

I solved my problem by updating Gradle to its latest version.(7.1.2 -> 7.1.3)

To update Gradle, edit following line in /{app}/android/build.gradle and change the version.

    dependencies {
        classpath 'com.android.tools.build:gradle:7.1.3'
    }

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException error

Your client sits behind a firewall and does HTTPS-requests through a proxy that is dynamically generating SSL-certificates for the sites being contacted in order to eavsdrop on the data being exchanged. You can see that by the issuer of the "Google-certificate" you're checking:

Issuer: C=DE, CN=AXA-DE-Proxy-Issuing-CA17, OU=IF-NDSG, O=AXA Technology Services Germany

Java has its own root-CA-keystore where standard certificate checks are looking for trusted root CAs and your eavsdropper's root certificate is obviously missing there.

To get rid off this error and let the java client falsely assume that the certificate is signed by a trusted CA, you need to add the CAs root certificate to the root keystore of Java. Another solution is to establish the SSL-connection using your own TrustManager. You do that by using your own SSLContext where you set trust- and keymanagers yourself.

The former needs to be done with every Java installation, the latter works within in the application.

---

Related Topics