PKIX path building failed : I added certificate to carcert still failing

Question

I am facing this problem with PKIX path build failuer, this is what I have tried...

1. I went to the target URL that I am trying to reach

    (eg -> https://localdevchannel.master.info/Gate/CustomerManagement/rest/resources/search)
   

   I clicked on the "LOCK" icon and exported the certificate.

2. I ran below command...

   keytool -importcert -file sec.cer -storepass changeit -keystore "C:/Program Files/Java/jdk-11.0.2/jdk-11.0.2/lib/security/cacerts" -alias secCert

3. The certificate got placed successfully. But I am still facing this issue. Please help what did I do wrong?

   javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   

Answer 1

ok,

You get this exception if your Certificate is expired, or does not exist in your store, or you updated another cacert file, and your java/and/or app is looking/using another.

1- Inspect your cacert file to actually see if the CERT has been added with its alias there.

From inside your JDK/jre/bin , you can find the keytool.exe You can call it like below to read the cacerts file:

susan@SE-00018098 /c/Program Files/Java/jdk1.7.0_80/jre/bin

$ keytool.exe -list -keystore ../lib/security/cacerts
Enter keystore password:
Keystore type: jks
Keystore provider: SUN

Your keystore contains 92 entries

digicertassuredidrootca, 2008-apr-16, trustedCertEntry,
Certificate fingerprint (SHA1): 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43
trustcenterclass2caii, 2008-apr-29, trustedCertEntry,
Certificate fingerprint (SHA1): AE:50:83:ED:7C:F4:5C:BC:8F:61:C6:21:FE:68:5D:79:42:21:15:6E
thawtepremiumserverca, 2009-dec-11, trustedCertEntry,
Certificate fingerprint (SHA1): E0:AB:05:94:20:72:54:93:05:60:62:02:36:70:F7:CD:2E:FC:66:66
swisssignplatinumg2ca, 2008-okt-31, trustedCertEntry,

2- If it is, is it expired? Check the date.

3- Confirm whether your app/java runtime is using the cacert file you just updated (Do you have multiple Java versions installed? What is your (Java_home)

======== Edited

If the certificate exists, and it is not expired, and you are 100% sure it is the right certificate, then probably your application/or container is not looking at the cacert file.

Try the hack below: I consider this as a hack, as you are hardcoding a path that may/not exist when you deploy on a different server.

There are many ways of create your own truststore and keystore stores and having those in the app itself, then you can incorporate them in your code, but try it to just see if the rest of the code works.

Set the system property before your https connection code:

System.setProperty("javax.net.ssl.trustStore", "java_home_path/jre/lib/security/cacerts");  

Replace with the correct path to cacerts file and try.

Answer 2

I found this solution after I went true all the answers, and no one helped. I don't know why, but I change myprive.key and myepublic.crt just change to myprivate.key.pem and mypublic.pem

So just find out how to covert .key and .crt into .pem

After that, it workde perfectly.

I needed it for sonarqube and some QA tests