CertPathValidatorException Error

jwoods006 · December 19, 2022, 8:06am

Im looking for help with this error:
java.security.cert.CertPathValidatorException
This is the full error:
Unable to download from feedUrl.: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed:

I have a feed link from my site to another. It has worked for a long time. My cert expired, as it has done before. This happened. I updated it and the issue has stayed.

Does anyone have any insight into how I can fix this?
Thank you

rg305 · December 19, 2022, 8:07am

Do you need to restart the service that uses the cert?

jwoods006 · December 19, 2022, 8:20am

Thank you for the reply. ..
What does that mean? The site is hosted on godaddy...

rg305 · December 19, 2022, 8:31am

Let's start over:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my ACME client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

jwoods006 · December 28, 2022, 4:15pm

My site sends a json link out to ROKU. it has works for years. a few weeks ago it stopped and that site gave this error:
Unable to download from feedUrl.: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed:

This is from the responses.txt:
HTTP/2 200
server: nginx
date: Wed, 14 Dec 2022 19:07:30 GMT
content-type: application/json
content-length: 556
boulder-requester: 79683324
cache-control: public, max-age=0, no-cache
link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
link: https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf;rel="terms-of-service"
replay-nonce: B37C4pT-MQTqm8by8OoFS2dPWKz_6S96dKwA3UvqRn6WZQw
x-frame-options: DENY
strict-transport-security: max-age=604800

This is from certsage.php:
CertSage (support@griffin.software)
Copyright 2021 Griffin Software (https://griffin.software)
Public version 1.2.0

It seems to have to do with the SSL but I am not certain how to correct it.
The SSL seems to work on the site and shows ok in the back end but I still get that error.
Anyone know howto correct this?

Bruce5051 · December 28, 2022, 7:29pm

Seeing that, so I am going to alert @griffin for possible assistance.

Bruce5051 · December 28, 2022, 7:35pm

And a few links on Chains:

Bruce5051 · December 28, 2022, 7:59pm

Using this online tool https://chainchecker.certifytheweb.com/ shows

Let's Encrypt Modern Chain (May not support some older devices)
 

This Let's Encrypt chain uses the newer ISRG Root X1 root, which is trusted by current operating systems. This chain may cause issues for some old devices, particularly Android 7.1 and lower.

Supplemental information:

$ curl -I http://rokuadmin.digitaltexas.com
HTTP/1.1 301 Moved Permanently
Date: Wed, 28 Dec 2022 19:49:40 GMT
Server: Apache
X-Powered-By: PHP/7.3.33
X-Redirect-By: WordPress
Upgrade: h2,h2c
Connection: Upgrade
Location: https://rokuadmin.digitaltexas.com/
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8

$ curl -I https://rokuadmin.digitaltexas.com
HTTP/2 200
x-powered-by: PHP/7.3.33
link: <https://rokuadmin.digitaltexas.com/wp-json/>; rel="https://api.w.org/", <https://rokuadmin.digitaltexas.com/wp-json/wp/v2/pages/546>; rel="alternate"; type="application/json", <https://rokuadmin.digitaltexas.com/>; rel=shortlink
vary: Accept-Encoding
content-type: text/html; charset=UTF-8
date: Wed, 28 Dec 2022 19:49:51 GMT
server: Apache

$ openssl s_client -showcerts -servername rokuadmin.digitaltexas.com -connect rokuadmin.digitaltexas.com:443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = rokuadmin.digitaltexas.com
verify return:1
---
Certificate chain
 0 s:/CN=rokuadmin.digitaltexas.com
   i:/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE-----
MIIFWTCCBEGgAwIBAgISA9vi84V7MT/SC0Y0t6vnnyDdMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjEyMjgxNTI2NDlaFw0yMzAzMjgxNTI2NDhaMCUxIzAhBgNVBAMT
GnJva3VhZG1pbi5kaWdpdGFsdGV4YXMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAqOzlHDLHCkhPbUR7FNgj2MIi/RhL7cM4uHc01CFwiL9U8+ig
V3Od62mgboTn3Zm9cK0oSCPi3Gdr5a5gavOLKkfOdkJJstHrMIQ70FnvUevN+8a9
MoBvB1UsNk/3ejcQD4OyYoLcwsLWI5LjCxcSyk4rwQJsJ3/6U/N/tx/zS26EppS0
unzJTHWzqgY6U+BWPG53dFgau2VIwAM24z9rXKFuOU62gd2HrxYixq80ZvkJxF5V
2+uW+sfjTabwNhAwRhuo6WWw82CYpXg/6UQkyHp3h72O1Fa1Vq42uUEWSrJwS7ei
Xag2u7skFVpxU1PXJtpju0iR17xUWZki7Tt36wIDAQABo4ICdDCCAnAwDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
Af8EAjAAMB0GA1UdDgQWBBRpEP98cdyDiDtAw5nGj/ebN65WeTAfBgNVHSMEGDAW
gBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUH
MAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3Iz
LmkubGVuY3Iub3JnLzBFBgNVHREEPjA8ghpyb2t1YWRtaW4uZGlnaXRhbHRleGFz
LmNvbYIed3d3LnJva3VhZG1pbi5kaWdpdGFsdGV4YXMuY29tMEwGA1UdIARFMEMw
CAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9j
cHMubGV0c2VuY3J5cHQub3JnMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHYAejKM
VNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61IAAAGFWY7QmgAABAMARzBFAiAW
PdOtZEZxPdhRDOFtNq9aMqwOkVbkHeobeA7HeTD38gIhANaUNHiBPSyVVvi7Hf2Z
itnZWYgh44bd1MtNhkB72RzsAHUArfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWG
NOvcgooAAAGFWY7QrQAABAMARjBEAiBj/JzjM+3UxsSeYgacLI9b2nBu90CBoYO/
NbaMI4drzwIgP1UXtddA0PzUw+v/Z5xM5fC74ZixwFmld3iOstUozRQwDQYJKoZI
hvcNAQELBQADggEBAAmD7fZlPRcZRuBaF0Gw7XfHlwB6ucWmrnPx7IvwGH9TC7a2
6MiU08DgK7cv0OINTO/n8i0XEGlpDzeMwzpYR04nCqsyv4RHImOQHauCONVXv3ml
kABKc438ypmojEEtfzcFGlv9wlmjpGiesQzbL3A7JlFMg7TIoCnxlZ1+3/jQVJo8
VgzqCL0Qz1WcEP4023NTCbTxcM96loXxgyvOXAFSzZ3hK28iJ86fvtR3gGZS8C4S
FdFu+JpiDnfLrf9QgOIrJRU2fCh9/yj/r0hwgYVXEtivN6JBBRb3LhdY4S5otLA4
VzPw+7yshLwRKJPwuBE7Fp7xzOh6lsPm1WLBv48=
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=rokuadmin.digitaltexas.com
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 3371 bytes and written 413 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: C7E8F3C443AF511BB80F58CDFB4671E0C264DEDD3F62155FBA527144836CB18D
    Session-ID-ctx:
    Master-Key: F2C7C5882DFD1136A1D98A06A3994E0E4C51E793720B3E3F87628948AC07DD5DAD1D1BDD6E3BC54BD9190C9C2066EEF2
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 89 39 9a 31 25 92 c1 89-5f 7d 32 e2 dd 74 a1 4f   .9.1%..._}2..t.O
    0010 - 06 6d cf f0 09 ad 4d 03-35 5d 93 d1 1d b5 cc 98   .m....M.5]......
    0020 - e7 be b1 36 48 72 aa e5-d1 58 f2 f8 18 6f ce 1a   ...6Hr...X...o..
    0030 - 45 a7 a6 8f 68 8d 89 78-1c 80 88 81 2b 35 f5 09   E...h..x....+5..
    0040 - 96 5d d4 16 1d 7a 61 0d-e8 ad 00 e4 f7 f1 fe 55   .]...za........U
    0050 - 09 c4 94 f2 52 9b db 1c-ab 66 14 47 26 03 6b 74   ....R....f.G&.kt
    0060 - 44 dc 11 e2 c2 73 b3 48-75 d0 e3 50 ce 27 0e f8   D....s.Hu..P.'..
    0070 - f2 5d 8f de be 94 8c 25-b0 e5 aa 23 59 06 7f b2   .].....%...#Y...
    0080 - e5 24 8c ee 95 94 a9 9b-1e cd 99 82 88 a0 b1 15   .$..............
    0090 - 67 75 73 f6 07 bc e4 fa-68 42 51 d4 25 86 8d da   gus.....hBQ.%...
    00a0 - cb f1 65 16 59 04 06 eb-3e 1d 40 0c ac 3c 6d 81   ..e.Y...>.@..<m.
    00b0 - 09 ea 4b 2c d2 5c 5d 50-d5 d1 a8 50 52 3c 15 1d   ..K,.\]P...PR<..
    00c0 - dd 36 34 3d d2 2e 38 b2-6c 89 2b f0 e1 cb a5 94   .64=..8.l.+.....
    00d0 - 58 b4 30 ed e1 eb 8e f8-1d 97 d3 91 30 51 87 d6   X.0.........0Q..

    Start Time: 1672257119
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
DONE

jwoods006 · December 28, 2022, 8:05pm

After looking around. I found a certsage 1.4.0 for cpanels and ran it.
Again, the cert seems to work but I am still getting the error on the other end.
I am not certain what the chains links are for...
What does supplemental info tell you...
Any thoughts on what I can do to fix this?
Thank you!

Bruce5051 · December 28, 2022, 8:08pm

A short modern chain is being served, so the question is what chain(s) does the other side support?

griffin · December 28, 2022, 8:09pm

I concur with the conclusion that the certificate installed on the webserver works. I'm not clearly understanding the rest of your setup. Please describe your technical configuration here so that we can clearly understand. I'm guessing that your frontend is acting as a reverse proxy of some kind.

jwoods006 · December 28, 2022, 8:21pm

I will contact ROKU and ask them about the chains they support. Has any of this changed in the last month? Of course things on their end may have too..

My site is used as a CMS but not for people to go to my site and see. We use it as an online way to organize out video content for distribution to our ROKU channel. The site creates a link using our data that is fed to ROKU.. based on their own criteria.

https://rokuadmin.digitaltexas.com/wp-json/tv/roku/

The information is then ingested from the link into ROKU. This process has worked for a few years now. Then I started getting the error on ROKU's end.

They dont really tell me much but am trying ti figure out where the issue is and how to correct it.
I will go to them again and ask some more questions.

petercooperjr · December 28, 2022, 8:34pm

Nothing's changed on Let's Encrypt's end relating to certificate chains in the past month, and it looks like your server is working fine. You'll need more information on what this Roku is expecting and the error you're getting. (And maybe also if it's multiple users seeing the problem? You might get this sort of thing if there's an "attacker" like an overly-zealous corporate firewall trying to intercept the connection, which is really HTTPS working correctly and preventing the connection.)

griffin · December 28, 2022, 8:45pm

I agree with @petercooperjr. I surmise that you've been seeing this issue since October of 2021 when the end of the cross-signed chain expired, but without a clear description of your infrastructure that's purely a guess.

jwoods006 · December 28, 2022, 8:50pm

No, the issue only showed up around a month ago... before that it was all working. I have sent a request to ROKU to see if they can tell me anything. I will keep looking.

thank you for looking into all this with me
JW

rg305 · December 28, 2022, 9:20pm

You could try obtaining a cert from another CA [thus another chain].

jwoods006 · December 28, 2022, 11:36pm

where could I get another CA?

barf7709 · December 28, 2022, 11:43pm

Check here:

system · January 27, 2023, 11:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.