Digital Ocean SSLHandshakeException PKIX path building failed, unable to find valid certification path to requested target

#1

We are getting this below exception when we hit our URL by Java class (as we are using Let’s Encrypt certificate).
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

As our server is at Digital Ocean and we created a docker container there. Our application is running inside docker container. we checked SSL things at digital Ocean by using below command and it connects successfully.
curl -k https://www.cwamessagingservice.com/
curl --insecure -v https://www.cwamessagingservice.com/ 2>&1 | awk 'BEGIN { cert=0 } /^* Server certificate:/ { cert=1 } /^*/ { if (cert) print }'
We also used SSLPoke class and we are not getting any exception

java SSLPoke www.cwamessagingservice.com 443 It gives us
Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=cp1252
Successfully connected

My domain is: www.cwamessagingservice.com

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Debian 9.6

My Java is : openjdk version “1.8.0_111”

SSL Report Link (getting overall rating A) : https://www.ssllabs.com/ssltest/analyze.html?d=www.cwamessagingservice.com

I can login to a root shell on my machine (yes or no, or I don’t know): yes

Can anyone help me over this exception? Any help would be appreciated.

#2

Hi @cwa

I don’t understand your error really. But checking your domain (via https://check-your-website.server-daten.de/?q=cwamessagingservice.com ) there is a problem:

Your certificate has only one domain name.

CN=www.cwamessagingservice.com (3653)
	20.02.2019
	21.05.2019
expires in 77 days	www.cwamessagingservice.com - 1 entry

The result: Your non-www version

Domainname Http-Status redirect Sec. G
http://cwamessagingservice.com/
68.183.80.188 302 https://cwamessagingservice.com/ 0.320 A
http://www.cwamessagingservice.com/
68.183.80.188 302 https://www.cwamessagingservice.com/ 0.310 A
https://cwamessagingservice.com/
68.183.80.188 200 3.403 N
Certificate error: RemoteCertificateNameMismatch
https://www.cwamessagingservice.com/
68.183.80.188 200 3.103 B

isn’t secure.

Create one certificate with both domain names (non-www and www) and use that. Then check if the error is gone.

If you check your www version with Ssllabs, all is good. Your non-www version doesn’t work.

So if your Java connect the non www version, that doesn’t work.

1 Like
#3

Hi Juergen,
Thanks for quick response. We created one certificate with both domain names (non-www and www) and used that certificate, but still getting the same SSL Handshake issue.
Is there something which i am missing ?

Regards, cwa

#4

Now your configuration is good:

Your certificate has both domain names:

CN=cwamessagingservice.com
	05.03.2019
	03.06.2019
expires in 90 days	cwamessagingservice.com, 
www.cwamessagingservice.com - 2 entries

Both connections are secure.

There is a new SSLlabs check:

https://www.ssllabs.com/ssltest/analyze.html?d=www.cwamessagingservice.com&hideResults=on

Is that Java 6u45 or older? If yes, perhaps the DH parameters are “too good”.

Perhaps some Java libraries are too old.

Checked your non-www version

https://www.ssllabs.com/ssltest/analyze.html?d=cwamessagingservice.com&hideResults=on

your DH parameters:

TLS_DHE_RSA_WITH_AES_256_CBC_SHA ( 0x39 ) DH 4096 bits FS

But the client doesn’t support DH > 1024

#5

Hi Juergen,

We are using JAVA version “1.8.0_181”. Sorry did not get the below line which you wrote
" But the client doesn’t support DH > 1024"

Please elaborate. where I am supposed to make changes to resolve this issue.

Regards, cwa

#6

That’s the oldest Java client SSLLabs checks.

But rereading your original message

it sounds that your java doesn’t find the root. But I’m not familiar with java development.

Searching “SunCertPathBuilderException” there are some (old) samples how to check such a configuration.

#7

Hi Juergen,
Thanks. Please let us know if you find anything.

Regards,
cwa

closed #8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.