I was trying to send a post request on a url from server then it showed following errors
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
Then I found about InstallCert.java( https://www.cs.ucsb.edu/~pconrad/cs56/examples/ldap/SimpleQuery/InstallCert.java ) which will allow my host and port to send the request. But when I was trying to run it on server it also showed some errors.
ubuntu#ip-172-31-28-14:/var/lib/tomcat7/webapps$ java InstallCert 52.39.134.231:8080
Loading KeyStore /usr/lib/jvm/java-7-openjdk-amd64/jre/lib/security/cacerts...
Opening connection to 52.39.134.231:8080...
Starting SSL handshake...
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:671)
at sun.security.ssl.InputRecord.read(InputRecord.java:504)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:946)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1344)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
at InstallCert.main(InstallCert.java:91)
Could not obtain server certificate chain
And now I don't know what to do to send my request.
Related
I am trying to send a SAML request to AWS STS to get temporary credentials that I can use for authentication with other AWS services. Below is my code:
BasicAWSCredentials basicCreds=new BasicAWSCredentials("", "");
AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard().withCredentials(new AWSStaticCredentialsProvider(basicCreds)).withRegion(Regions.DEFAULT_REGION.getName()).build();
AssumeRoleWithSAMLRequest samlReq = new AssumeRoleWithSAMLRequest();
samlReq.setRoleArn(role_arn);
samlReq.setPrincipalArn(principal_arn);
samlReq.setSAMLAssertion(assertion);
AssumeRoleWithSAMLResult token = stsClient.assumeRoleWithSAML(samlReq);
The request needs to go through a proxy and I have already set that up in the code. When I run it, I am seeing the below error:
INFO: Configuring Proxy. Proxy Host: xxx.xxx.com Proxy Port: 9400
com.amazonaws.SdkClientException: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleRetryableException(AmazonHttpClient.java:1201)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1147)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:796)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:764)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:738)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:698)
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:680)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:544)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:524)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1719)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1686)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1675)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRoleWithSAML(AWSSecurityTokenServiceClient.java:817)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRoleWithSAML(AWSSecurityTokenServiceClient.java:788)
at Hello.main(Hello.java:338)
This is happening at the line AssumeRoleWithSAMLResult token = stsClient.assumeRoleWithSAML(samlReq);. I understand that this error happens when a server certificate is absent in the cacerts file. I am running the code from my local laptop, so it's my own cacerts file that is being used.
Now, I am wondering if I must be adding the Proxy server certificate or AWS certificate ? If I should be adding the AWS certificate, where can I get that from? Is there any other workaround for this problem?
Any help would be appreciated, thank you.
I'm receiving this exception when I try to access a CAS server
12:27:35.216 [https-jsse-nio-8080-exec-6] DEBUG o.j.c.c.v.Cas20ServiceTicketValidator - Constructing validation url: https://localhost:8090/cas-server-webapp-4.0.0/serviceValidate?&ticket=ST-2-I1EbyRdw9aOr4xTW9cmQ-localhost&service=https%3A%2F%2Flocalhost%3A8080%2FIDwebapp%2Fj_spring_cas_security_check
12:27:35.216 [https-jsse-nio-8080-exec-6] DEBUG o.j.c.c.v.Cas20ServiceTicketValidator - Retrieving response from server.
12:27:35.352 [https-jsse-nio-8080-exec-6] ERROR o.j.c.c.v.Cas20ServiceTicketValidator - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I have followed this guide https://github.com/escline/InstallCert to install the certificate... and effectly it added to the JVM's cacert keystore:
java InstallCert localhost:8090
But the problem arrises when I use Tomcat; it continues generating the same exception.
In the Web browser an HTTP Status 401 - Unauthorized error is showed:
I am trying to build an app for Token Browser, I have followed all the instructions. Created a Docker Environment and entered all the configuration. When I'm running the docker-compose up I receive the following error. Any help would be greatly appreciated.
org.whispersystems.signalservice.api.push.exceptions.PushNetworkException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
Notes: Received this on both Linux 16.04 (Virtual Box) and Windows 10 Home.
I created server and client keystore.jks and truststore.jks pairs.
server-truststore.jks contains client-public.cer, client-truststore.jks contains server-public.cer.
SSL certificates have no CAs, are self-signed ones. If I play the communication locally it works. But after deploying my server I get the exception:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I've tried to put my server/client certificates into carcerts of java security, it didn't help.
The communication only works if I call my WS from SOAP UI. (For SOAP UI I don't need to use truststore.jks)
I checked it out with a famous SSLPoke.class
$ java SSLPoke HOST 443
Successfully connected
$ java -Djavax.net.ssl.trustStore=truststore.jks SSLPoke HOST 443
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
What could solve it?
I have referred to almost every question on this topic on SO but none of the answers gave me a break-through unfortunately.
I am using EWS1.2 and running the following code from within eclipse to connect to our exchange server to send a test email. Please see inline comments as to what I understand that the code is doing.
ExchangeService service = new ExchangeService(ExchangeVersion.Exchange2007_SP1);
/* Our company email id and windows password. We never had to enter a password for outlook.
I guess it is using LDAP authentication. In our outlook it is set to Negotiate Authentication. */
ExchangeCredentials credentials = new WebCredentials("123.abc#xyz.com", "MyWinPassword");
service.setCredentials(credentials);
/* Our proxy server's ip address and port. I am not sure if our exchange server is only accessible through a proxy
but this statement stopped a "connection refused" error that I was getting earlier */
WebProxy webProxy = new WebProxy("our_proxy_ip", 8080);
webProxy.setCredentials("my_win7_user_id", "MyWinPassword", "OurDomain");
service.setWebProxy(webProxy);
try {
service.setUrl(new URI("https://exchange_ip/ews/Exchange.asmx"));
/* Autodiscovery never worked: The Autodiscover service couldn't be located. */
// service.autodiscoverUrl("123.abc#xyz.com");
} catch (URISyntaxException e) {
e.printStackTrace();
}
EmailMessage msg;
try {
msg = new EmailMessage(service);
msg.setSubject("Test Email");
msg.setBody(MessageBody.getMessageBodyFromText("Sent using the EWS API"));
msg.getToRecipients().add("123.abc#xyz.com");
msg.send(); /* This is where we get an exception */
} catch (Exception e) {
e.printStackTrace();
}
which results in the below trace:
microsoft.exchange.webservices.data.ServiceRequestException: The request failed. sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at microsoft.exchange.webservices.data.ServiceRequestBase.getEwsHttpWebResponse(Unknown Source)
at microsoft.exchange.webservices.data.ServiceRequestBase.validateAndEmitRequest(Unknown Source)
at microsoft.exchange.webservices.data.SimpleServiceRequestBase.internalExecute(Unknown Source)
at microsoft.exchange.webservices.data.MultiResponseServiceRequest.execute(Unknown Source)
at microsoft.exchange.webservices.data.ExchangeService.internalCreateItems(Unknown Source)
at microsoft.exchange.webservices.data.ExchangeService.createItem(Unknown Source)
at microsoft.exchange.webservices.data.Item.internalCreate(Unknown Source)
at microsoft.exchange.webservices.data.EmailMessage.internalSend(Unknown Source)
at microsoft.exchange.webservices.data.EmailMessage.send(Unknown Source)
at com.ashok.calsync.Sync.testMethod(Sync.java:39)
at com.ashok.calsync.Sync.main(Sync.java:12)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
... 11 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
... 28 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
... 34 more
I had exported the certificate used by Outlook to a .cer file and imported to cacerts using keytool.
keytool -import -file D:\Ashok\myOutlookCert1.cer -keystore cacerts
-alias myOutlookCert1
The Run configuration in eclipse includes the following under VM Arguments
-Djavax.net.debug=all -Djavax.net.ssl.keyStore="C:\java_jdk\1.6.0_30\jre\lib\security\cacerts"
-Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStore="C:\java_jdk\1.6.0_30\jre\lib\security\cacerts"
-Djavax.net.ssl.trustStorePassword=changeit
and the certificate is visible in the debug trace
adding as trusted cert: Subject: CN=123.abc, CN=S, CN=A,
CN=OurDomain, CN=XYZ, CN=pki, DC=xyz, DC=com Issuer: CN=XYZ-CA1-FR,
CN=PKI, DC=XYZ, DC=com Algorithm: RSA; Serial number: 0x43559d09
Valid from Tue Jun 19 13:31:28 IST 2012 until Fri Jun 19 14:01:28 IST
2015
After all these, the exception suggests that the certificate is not found. The questions here are:
How do we confirm that the certificate I imported to cacerts is the one the Server is looking for?
I had exported the certificate from Outlook's Trust Centre (from within Email Security section). Is this the right certificate for connecting to the Exchange Server?
Many thanks in advance for any help.
Regards,
Ashok