Certificate Error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

nag.bandla · February 20, 2017, 2:40pm

We have installed lets encrypt certificate on our Azure and AWS environments for webserver. We are not having any issues in accessing the url through web browser. But we are having issues accessing the url through Java client for AWS environment.

It is the same code base, we are not sure why we are getting certificate validation error in AWS for Java client but not to the Azure environment.

We have a work around in the below link to avoid this issue. But of course, we are not able to answer the question, why the it is failing in AWS environment.

https://blogs.oracle.com/gc/entry/unable_to_find_valid_certification

Error details: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Do we need to do any thing different on AWS environment for webserver so that Java clients should be able to access the certificate.

cpu · February 20, 2017, 3:11pm

Hi @nag.bandla,

What version of the JVM is your client code using? You’ll note on our certificate compatibility page we mention compatibility problems with Java 7 less than version 7u111 and Java 8 less than version 8u101.

It would be helpful if you could provide the URL of the AWS instance you’re having trouble with.

nag.bandla · February 20, 2017, 5:25pm

Hi,

Thank you so much for responding.

We are using the Java8u 121 for the client. The latest run time that is available in oracle site.
The following is the URL for AWS.
https://owg1sync.com

We tried replacing our client cacerts file with Java8u 121 cacerts file. But no luck. It’s still throws the same error. It’s kind of confusing.

C:\Program Files\Java\jdk1.8.0_121\jre\lib\security>grep “Let” cacerts_out.txt
There is nothing here, but it has information about its root certificate authority “DST Root CA X3”

–> We have created cacerts file by adding Lets Encrypt certification information( Which was downloaded from the browser)

C:\Program Files\Java\jdk1.8.0_121\jre\lib\security>grep “Let” cacerts_letsencrypt_out.txt
Owner: CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US

With this, the Java client works well… I am not able to follow, how it will work with Java8u 121 if we do not have Let’s Encrypt Authority information.

##############################################################################
C:\Program Files\Java\jdk1.8.0_121\jre\lib\security>ls
US_export_policy.jar blacklisted.certs cacerts_letsencrypt cacerts_out.txt java.security local_policy.jar
blacklist cacerts cacerts_letsencrypt_out.txt java.policy javaws.policy trusted.libraries

C:\Program Files\Java\jdk1.8.0_121\jre\lib\security>grep “DST” cacerts_out.txt
Owner: CN=DST Root CA X3, O=Digital Signature Trust Co.
Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.

C:\Program Files\Java\jdk1.8.0_121\jre\lib\security>grep “Let” cacerts_out.txt

C:\Program Files\Java\jdk1.8.0_121\jre\lib\security>grep “DST” cacerts_letsencrypt_out.txt
Owner: CN=DST Root CA X3, O=Digital Signature Trust Co.
Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
[URIName: http://crl.identrust.com/DSTROOTCAX3CRL.crl]
Owner: CN=DST Root CA X3, O=Digital Signature Trust Co.
Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.

C:\Program Files\Java\jdk1.8.0_121\jre\lib\security>grep “Let” cacerts_letsencrypt_out.txt
Owner: CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US

#####################################################################################################

cpu · February 20, 2017, 5:38pm

Hi again @nag.bandla,

Looking at your website I think the problem is in fact totally unrelated to Java! You can see with ssllabs testing tool that your website is returning an incomplete certificate chain.

You'll need to update your webserver to return the full certificate chain. If you're using Certbot to request the certificates it saves this as "fullchain.pem".

This server supports anonymous (insecure) suites (see below for details). Grade set to F.

The test tool also flagged this separate issue that you should look into fixing. I would definitely recommend disabling all of the anonymous ciphersuites.

nag.bandla · February 20, 2017, 9:50pm

Thank you so much.
I have done few modifications to the web server. Now it looks good as its showing as grade ‘A’. But I am not an expertise, can you please confirm whether is it okay. And my problem also look to be disappeared.

cpu · February 20, 2017, 9:59pm

Looks good to me. Glad to hear you solved your initial problem

nag.bandla · February 20, 2017, 10:14pm

Thank you for your help !!!

system · March 22, 2017, 10:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.