We Keep Coding

How to download SSL certificate from a LDAP Server using java ? and establish SSL connection using LDAPS?

I am trying to write a program for connecting LDAP server using java code..
Connection Type - SSL
I am getting SSLHandshakeException which says I will have to use 'server certificate' to establish ssl connection -
javax.naming.CommunicationException: :636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
Could anyone please suggest how to download SSL certificate from the server using java code and then use that certificate while connecting to LDAP ?
Here are the solutions i have tried, but i did not work -
How to read a Certificate attribute (caCertificate) from LDAP server (Java)?
How to make a call, via Java, with ssl and certificate to an ldap (AD)?
NOTE - I cannot override functionality of certificate verification/validation using custom socket factory

Configure log4j' HTTP appender to accept self-signed certificate

I am trying to send logs to Splunk Cloud' HTTP Event Collector using Log4J' HTTP Appender. However, it seems Splunk uses a self-signed certificate on their HTTP Event Collector, thus causing SSL Validation errors when Log4J tries to connect to it:
ERROR Unable to send HTTP in appender [Splunk] javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
How can I temporarily disable SSL Certificate verification (similarly to the -k option of CURL) for the HTTP Appender?

Could not convert socket to TLS on Apache Commons Mail

I have a problem connecting to a SMTP Server with Apache Commons Mail. I have tried everything but the only thing I can find online is for Java Mail.
This is my error:
Caused by: javax.mail.MessagingException: Could not convert socket to TLS;
nested exception is:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I have seen that you can fix the issue on Java Mail with props.put("mail.smtp.ssl.trust", "smtp.gmail.com"); for example, but I can't a equivalent command to use on Apache Commons.

If you're really connecting to Gmail, you shouldn't need that. The Gmail certificate will be trusted by the default trust store. If you've configured a non-default trust store, add the Gmail certificate to that trust store using the InstallCert program.

Calling SSL URL from Java gives certificate issues

I'm trying to do an API using SSL. When I perform the call, I get the following error:
org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://yyyyy.zzz/123":sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I know there are many questions in StackOverflow regarding this issue, but the ones I saw was because certificate was self-signed. In this case certificate is valid and browser recognize it without problems as a valid one.
So my question is, why does it fail when calling from Java and it does work well when using the browser?

I had same issue. The browser recognized the certificate (and certificate path), but Java Virtual Machine did not. The error text was the same.
In my case the trust root was in Browser keystore, and in Java trust keystore. So everyone could check thrust path. But if your server returns not the whole certificate path, but only server one, it is harder. In this case, the certificate path could be validated only if validator has the INTERMEDIATE certificate in its thrust-store.
Because the java keystore is not updated as regularly as these in browsers, you could have the intermediate certificate in browser, but not in JVM.
Possible solutions in this case:
server to return the whole certificate chain
the intermediate certificate to be added in java trust store
For more info check Certificate path discovery in Java

Why does a signed certificate give me a handshake failure using Java?

I am accessing a web service. When I go to the web service's URL in my browser, the certificate is signed and automatically is accepted.
What I don't understand is that when I use Java to access the web service I get something along the lines of:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I would imagine this means that the certificate is not signed, but it is.
Doesn't com.sun.net.ssl.internal.ssl go to the certificate authority automatically and check if the certificate is signed? If not, is there something I need to set up in addition in order to do this?

There is more checking than just the signature. The certificate authority that produced the signature must be validated, among other things. Java's list of trusted certificate authorities is different than your browser's. You may need to download the CA cert with your browser and install it with Java's keytool.

It seems that the web server or the URL you are connecting to does not have a valid certificate from an authorized CA.To solve see this alternative solution.