Here is the example that doesn't work:
public class Temp {
public static void main(String[] args) throws Exception {
new URL("https://float.software").openConnection().getInputStream();
}
}
Going to https://float.software/ in my browser works just fine. But java throws this exception:
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:957)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:892)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at fb.Temp.main(Temp.java:8)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
... 13 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 19 more
When I've looked at other answers they all talk about installing certificates. I don't think I should have to install a certificate. This isn't self-signed. It uses a real certificate authority. Python downloads this URL just fine. So does chrome. Java doesn't.
EDIT: For those saying that Comodo is a newer authority not yet added to java, it was added as a root in Java 5. See http://forums.comodo.com/comodo-cleaning-essentials-killswitch-autoruns-cce/how-do-i-unblock-a-processexecutable-t17086.0.html
If you look at the SSLLabs report for this domain you will see two possible certification path:
The first (shorter) one ends expects that the "COMODO RSA Certification Authority" is trusted by the client. Although this CA is valid since 2010 it got only recently (about half year) ago included in browser like Firefox, see https://bugzilla.mozilla.org/show_bug.cgi?id=1062589. You will not find this CA as trusted outside most browsers, i.e. in the trust stores shipped with Java or similar (Java does not use the systems trust store).
The other longer certification path expects a trusted root CA "AddTrust External CA Root ". This CA is included for years in browsers and OS and is probably also in the Java trust store. Unfortunately to verify this certification path an additional chain certificate is needed which is not provided by the server (marked as "Extra Download" in the SSLLabs report).
Since Java does not include the Root-CA from the first path it is not able to verify it. And it fails to verify the second path because of the missing chain certificate. This means the verification fails.
Python downloads this URL just fine. So does chrome.
Chrome has the newer root-CA. Also Chrome attempts to download missing chain certificates, while Java, Python etc do not.
Python only started recently to verify certificates by default, i.e. since 2.7.9+ and 3.4.3+. All previous (which means most installed) versions did not validate the certificates (except when using the requests library) so it just worked (typical problem: nobody notices that's insecure because it seems to work). See https://www.python.org/dev/peps/pep-0476/.
You may have to update your cacerts file if you're using an old version of Java. float.software's SSL cert is signed by "COMODO RSA Certification Authority", which has only be valid since Feb 2014. It's possible your Java install is older than that.
Also, watch out on Python. Not all HTTPS implementations verify the remote certificate.
Related
I am loading one of the ssl certificate from a .crt file to access one resource. But when I make the call to that intranet resource. I get following exception. Can someone suggest how to overcome this problem? Also can I disable a DNS check
...
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Subtree check for certificate subject alternative name failed.
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
... 81 more
Caused by: java.security.cert.CertPathValidatorException: Subtree check for certificate subject alternative name failed.
at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.processCertBC(Unknown Source)
at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(Unknown Source)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357)
... 87 more
Caused by: org.bouncycastle.jce.provider.PKIXNameConstraintValidatorException: DNS is not from a permitted subtree.
at org.bouncycastle.jce.provider.PKIXNameConstraintValidator.checkPermittedDNS(Unknown Source)
at org.bouncycastle.jce.provider.PKIXNameConstraintValidator.checkPermitted(Unknown Source)
I found answer to this problem, sharing if it saves time for anybody else.
What is been observed is that in some cases only CA root certificate is not sufficient. But when other intermediate certs are also loaded then this issue didnt occur. So basically the whole chain certificates were needed to overcome this problem. As a combination of bouncy castle library upgrade and including whole chain certs worked for me.
I am trying to catch up the JASIG's CAS server. I have successfully generated the keys for Tomcat (8.5 it is), imported the keys to Java keystore and now trying to build the CAS project I have downloaded from the GitHub, using the built-in build script dev-build-no-tests.sh. What I can't get through is this step due to an exception that is thrown as I run the build script.
Downloading https://services.gradle.org/distributions/gradle-2.10-bin.zip
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at org.gradle.wrapper.Download.downloadInternal(Download.java:58)
at org.gradle.wrapper.Download.download(Download.java:44)
at org.gradle.wrapper.Install$1.call(Install.java:61)
at org.gradle.wrapper.Install$1.call(Install.java:48)
at org.gradle.wrapper.ExclusiveFileAccessManager.access(ExclusiveFileAccessManager.java:65)
at org.gradle.wrapper.Install.createDist(Install.java:48)
at org.gradle.wrapper.WrapperExecutor.execute(WrapperExecutor.java:128)
at org.gradle.wrapper.GradleWrapperMain.main(GradleWrapperMain.java:61)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
... 20 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 26 more
What's wrong here? What am I doing wrong? I tried to find a clue somewhere but so far no good.
As far as I understand, this seems to be a problem when trying to download this gradle version. What I don't understand is why this happens and how to fix this.
The domain you are trying to download from is not in the trusted list
You can try one of 2 options,
Trying with a http URL instead of https url
You could get around this is by downloading the certificate from
services.gradle.org (.cer file) and then installing them into your
java trust store. Make sure you download any parent certificates
this domain may have and install them as well. Once you do this, you
should be able to move forward.
I'm trying to add a self-signed certificate to my java keystore. When I list all the certificates, it's also there, so it must have been saved. However, when I try to make a request in my class, I still get the exception:
Caused by: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
I have tried to replace the certificate but it doesn't change anything.
My company keeps the Maven dependencies on a server that has an invalid SSL certificate. We must use https to connect. When I try to run Maven, it cannot download the resources.
I know the name of the site I am trying to go to. I'd be happy to either add a security exception for the site, or just shut off all the validation of ssl certificates so that all https sites will be considered valid.
I am using Maven 3.0.4.
Here are some highlights of the stack trace when I try to build:
Caused by: org.sonatype.aether.transfer.ArtifactTransferException: Could not transfer artifact
org.apache.maven:maven-plugin-api:pom:2.0.6 from/to NexusExternal (<code>https</code>:
//mydumbcompanysbrokensite:8443/nexus/content/groups/public):
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification
path to requested target
...
Caused by: org.apache.maven.wagon.TransferFailedException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification
path to requested target
You can simply disable Maven SSL validation by adding these options to the command line :
-Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true
We recently changed all the certificates and Jenkins seems to have been affected by that. It is unable to publish to confluence and it gives the following error:
ERROR: Publisher com.myyearbook.hudson.plugins.confluence.ConfluencePublisher aborted due to exception
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
We use self signed certificates for our internal services. I added the new certificate into the trust store of the server running jenkins using the keytool command. The problem persist.
I am unable to track the source of the problem now.
Any help would be highly appreciated.
Thanks,
SanZig
I finally figured it out. It was a problem with the location of the trusted keystore.
It's better to always add the certificates into the /var/lib/jenkins/.keystore rather than adding in the PATH_TO_JAVA_HOME/jre/lib/security/cacerts. If you still want to add the certificate into the cacerts then an ARG should be added in the application's config file:
JAVA_ARGS="-Djavax.net.ssl.trustStore=/usr/lib/jvm/java-7-oracle/jre/lib/security/cacerts"
Sometimes you may need to add the certificate in ~/.keystore