I'm having some issues authenticating with Linkedin using Spring Social.
So far, I can open a form on http://localhost:8080/signin on my server, where a click on a link to auth/linkedin redirects to https://www.linkedin.com/uas/oauth2/authorization?..., which after allowing access, redirects back to http://localhost:8080/auth/linkedin?.... At this point, my server POSTs to https://www.linkedin.com/uas/oauth2/accessToken, but fails with:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I'm far from an expert when it comes to certificates. As far as I can tell, Linkedins certificate is being rejected. In order for it to be accepted, either Linkedins certificate, or the certificate of the certificate authority that issued it, would have to be in my trust store.
The error indicates that I have neither. So one solution seems to be to simply import the certificate of the certificate authority into the trust store.
This seems like bad practice. I assume I am talking to linkedin, but the point of a chain of trust is not to assume but to prove someones identify, and in this case that hasn't happened. If I simply assume someone if who they say they are, the certificate loses value.
Also, it seems I shouldn't be getting this error in the first place. I haven't found other people having issues with Linkedin and I find it hard to believe they wouldn't use a recognized certificate authority. So what could be the root cause of the issue?
Turns out that at an earlier stage of development that I had forgotten about, I had created a new keystore for some self signed certificates, set with "-Djavax.net.ssl.trustStore=...". This replaced the default cacerts keystore. Now I've imported my certs into cacerts instead.