Decoding sun.security.validator.ValidatorException: PKIX path building failed

When interacting from one server to a different server, we tend to get this error.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This error occur when from your java code, you try to access/hit the URL hosted on different server. The java needs to have server certificates added to its ‘cacerts’ which will then make server understand that the request is from trusted source, in turn the connection will be established.

Where are certificates kept –

%JAVA_HOME%\lib\security\cacerts

How to check if servers are getting identified –

keytool -list -keystore “%JAVA_HOME%/jre/lib/security/cacerts” . It will list down all the certificates.

What error you might get with keytool and how to fix-

Error  — find: keytool: No such file or directory

Fix — keytool is located at “%JAVA_HOME%\jre\bin” . For OS to identify it , either add it to classpath or go to “%JAVA_HOME%\jre\bin” and execute.

 

How to add the certificates –

User either of following ways to do this

1) Get certificates (.cer file(s)) from the server Admin to be added to the cacerts folder in your local.

2) keytool –importcert –trustcacerts –alias ALIASNAME -file PATH_TO_FILENAME_OF_THE_INSTALLED_CERTIFICATE -keystore PATH_TO_CACERTS_FILE -storepass changeit

keytool -import -noprompt -trustcacerts -alias <AliasName> -file   <certificate> -keystore <KeystoreFile> -storepass <Password>

In linux if you have multiple certs to add , you can use for loop to do that –

for i in `ls`; do  /data/apps/endeca/ToolsAndFrameworks/latest/server/j2sdk/bin/keytool -alias $i -file $i -keystore /data/apps/endeca/ToolsAndFrameworks/latest/server/j2sdk/jre/lib/security/cacerts; done

# It will prompt the password. Add password provided with the certificate by the admin (generally password is ‘changeit’) for user, type yes to trust the cert.  If it always exists, type no.

Leave a Reply