Into my application I'm using an HttpClient setting an ssl context:
#Bean
public HttpClient httpClient() throws Exception {
SSLContext sslContext = SSLContextBuilder.create()
.loadKeyMaterial(
new URL(schedulerConfiguration.getKeyStore()),
schedulerConfiguration.getKeyStorePassword().toCharArray(),
schedulerConfiguration.getKeyPassword().toCharArray()
)
.loadTrustMaterial(
new URL(schedulerConfiguration.getTrustStore()),
schedulerConfiguration.getTrustStorePassword().toCharArray()
)
.build();
return HttpClients.custom().setSSLContext(sslContext).build();
}
As you can see I'm loading a keystore and a truststore.
keystore contains the private key and truststore contains all chain certificates.
I'm running against client connections can't be launched due to:
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://balancer:8080/token": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I've built my jks from a .p12 file like this.
In order to build trsutstore:
$ openssl pkcs12 -in fitxers.p12 -nokeys -out cacerts-nokeys.crt
$ keytool -importcert -file cacerts-nokeys.crt -keystore cacerts-pre-splitted.jks
And in order to create my keystore:
$ keytool -importkeystore -srckeystore fitxers.p12 -srcstoretype pkcs12 -destkeystore auth-backoffice-pre.jks -deststoretype jks
Any ideas about what's wrong?
I remember having similar issue when not using aliases properly. Are you using aliases in your original p12 file? If so, I'd recommend using the other method for loading the key material with custom PrivateKeyStrategy.
Also take a look when trying to connect your client with vm option:
-Djavax.net.debug=all
You will be able to see a bit of more information. Hopefully this guides you to your solution!
Related
I am trying to reach an external API through a secured connection. The connection usually requires a client certificate issued by the company. The certificate has been whitelisted and I also checked with Postman by importing the certificate and it worked fine. I am getting sun.security.validator.ValidatorException when I try to reach the API.
I generated these files using the .crt file:
trustStore.jks-
"C:\Program Files\Java\jdk1.8.0_341\bin\keytool" -import -file "C:/Users/user/certs/example.crt" -alias exampleCA -keystore "C:/Users/user/certs/truststore.jks"
2.keyStore.p12-
openssl pkcs12 -export -in "C:/Users/user/certs/example.crt" -inkey "C:/Users/user/certs/example.key" -certfile "C:/Users/user/certs/example.crt" -name "examplecert" -out "C:/Users/user/certs/keystore.p12"
3.keystore.jks-
"C:\Program Files\Java\jdk1.8.0_341\bin\keytool" -importkeystore -srckeystore "C:/Users/user/certs/keystore.p12" -srcstoretype pkcs12 -destkeystore "C:/Users/user/certs/keystore.jks" -deststoretype JKS
I have the keyStore setup in properties:
server.port=443
server.use-forwarded-headers=true
security.require-ssl=true
server.ssl.key-store-type=PKCS12
server.ssl.key-store=classpath:keystore.p12
server.ssl.key-store-password= password
server.ssl.key-alias=examplecert
When I hit the url, I can see the same cert being used with httpsnot-secure error
However, when I click in the background 'thisisunsafe' as mentioned here stackoverflow-answer, I get the error:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] with root cause
Can someone help me in this? I am completely new to SpringBoot.
I'm reviewing a training project - working with a mail server gmail.com. An error occurred at startup:
Failed receive: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
On this site I found instructions on how to connect the certificate: PKIX path building failed” and “unable to find valid certification path to requested target
I'm reviewing a training project - working with a mail server gmail.com. An error occurred at startup:
Failed receive: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
On this site I found instructions on how to connect the certificate: PKIX path building failed” and " unable to find valid certification path to requested target
I did everything according to the instructions:
In chrome, I downloaded the certificate from this site, saved it to the mg mail.cer file
I connected it with the command
keytool -import -alias gmail -keystore c:\Development\Java\jdk11\lib\security\cacerts -file m gmail.com
I overloaded the computer, but the error still remains
I check with the command
keytool -list -trustcacerts -keystore "%JAVA_HOME%\lib\security\cacerts" -storepass changeit
the certificate is in the list:
mgmail, 2 февр. 2021 г., trustedCertEntry,
Certificate fingerprint (SHA-256): 9A:63:32:BE:95:...
What did I miss?
According to this error, It seems like you haven't imported the full cert chain to the trust store (root, intermediate and leaf certs).
enter image description here
In Firefox, You can easily download the full certificate chain. Then please import all 3 certificates to your trust store.
I created server and client keystore.jks and truststore.jks pairs.
server-truststore.jks contains client-public.cer, client-truststore.jks contains server-public.cer.
SSL certificates have no CAs, are self-signed ones. If I play the communication locally it works. But after deploying my server I get the exception:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I've tried to put my server/client certificates into carcerts of java security, it didn't help.
The communication only works if I call my WS from SOAP UI. (For SOAP UI I don't need to use truststore.jks)
I checked it out with a famous SSLPoke.class
$ java SSLPoke HOST 443
Successfully connected
$ java -Djavax.net.ssl.trustStore=truststore.jks SSLPoke HOST 443
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
What could solve it?
I'm trying to use Amazon S3 API to encrypt and upload a file.
public class AmazonS3 {
String KmsId = "my_id_comes_here";
private TransferManager getTransferManager() {
AWSCredentials awsCredentials = new ProfileCredentialsProvider().getCredentials();
KMSEncryptionMaterialsProvider materialProvider = new KMSEncryptionMaterialsProvider(KmsId);
AmazonS3EncryptionClient s3Client = new AmazonS3EncryptionClient(awsCredentials, materialProvider,
new CryptoConfiguration().withKmsRegion(Regions.EU_CENTRAL_1)).withRegion(Regions.EU_CENTRAL_1);
s3Client.setEndpoint("s3.eu-central-1.amazonaws.com");
TransferManager transferManager = new TransferManager(s3Client);
return transferManager;
}
public void upload(String bucket, String keyName, String filePath)
throws InterruptedException, NoSuchAlgorithmException, IOException, InvalidKeySpecException {
TransferManager transferManager = getTransferManager();
// TransferManager processes all transfers asynchronously, so this call will return immediately.
Upload upload = transferManager.upload(bucket, keyName, new File(filePath));
try {
// Or you can block and wait for the upload to finish
upload.waitForCompletion();
System.out.println("Upload complete.");
} catch (AmazonClientException amazonClientException) {
System.out.println("Unable to upload file, upload was aborted.");
amazonClientException.printStackTrace();
}
}
Which works fine if I don't pass my trustore as arguments to my application.
But, if I initialize my application with my trustore like this:
-Dspring.profiles.active="dev" -Djavax.net.debug=all -Djavax.net.ssl.trustStore=/usr/share/ca-certificates/anevis/java/activemq/client.ts -Djavax.net.ssl.trustStorePassword=changeit
It gives me this error:
com.amazonaws.AmazonClientException: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:516)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:317)
at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:3595)
at com.amazonaws.services.s3.AmazonS3Client.getObjectMetadata(AmazonS3Client.java:999)
at com.amazonaws.services.s3.transfer.TransferManager.doDownload(TransferManager.java:779)
at com.amazonaws.services.s3.transfer.TransferManager.download(TransferManager.java:691)
at com.anevis.documentengine.configuration.jms.AmazonS3.download(AmazonS3.java:57)
at com.anevis.documentengine.configuration.jms.S3UploadTest.testUpload(S3UploadTest.java:25)
at com.anevis.documentengine.configuration.jms.S3UploadTest.main(S3UploadTest.java:9)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:535)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403)
at com.amazonaws.http.conn.ssl.SdkTLSSocketFactory.connectSocket(SdkTLSSocketFactory.java:128)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:749)
at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:505)
... 13 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
... 32 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 38 more
How can I fix this error ?
Your trust store doesn't have the certificate authority that secures the AWS APIs. You need to create a new trust store that combines client.ts with the ones required for AWS. The easiest way to do this is to merge client.ts with the cacerts keystore from the JRE.
Example:
keytool -importkeystore -srckeystore client.ts -destkeystore combined.ts -srcstorepass changeit -deststorepass changeit
keytool -importkeystore -srckeystore $JAVA_HOME/jre/lib/security/cacerts -destkeystore combined.ts -srcstorepass changeit -deststorepass changeit
Then use combined.ts instead of client.ts.
Thank you, we had similar problem but I tweaked response a little bit for our scenario.
I received this com.amazonaws.AmazonClientException: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
exception when trying to connect to AmazonDynamoDB.
When we moved our application to HTTPS we started receiving this error.
So the solution was the same, the only difference was instead of client.ts I had to add certificate into cacerts which was generated during HTTPS migration.
keytool -importkeystore -srckeystore $JAVA_HOME/jre/lib/security/cacerts -destkeystore test.p12 -srcstorepass changeit -deststorepass test;
Thanks,
I get this error while launching the application.
org.jboss.mq.SpyJMSException: Cannot authenticate user; - nested throwable: (javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
org.jboss.mq.SpyJMSException: Cannot authenticate user; - nested throwable: (javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
I set my certificate path by System.setProperty("javax.net.ssl.trustStore", "Path to certificate)..
But this is not working me..Also I have imported the certificate to the "cacerts" of Java Home. But still I am getting the error..
Any help would be appericiated...
The application authenticating the user has a Java keystore as its trust store. The trust store has to contain (as a trusted certificate) the certificate authority that signed the user's certificate. Put the certificate authority in a base-64 ca.cer file and use keytool -import -keystore YourKeystore -alias ca -file ca.cer -trustcacerts.