[+] Wiki Tools

Wiki Relationships:

Admin Tools:

Upload file

Article:Why does my Java application throw PKIX path validator exceptions?

by Calvin Austin

One of the more mysterious errors that can appear in your Tomcat or Java application server when trying to communicate with an SSL/HTTPS site is the exception:

ValidatorException: PKIX path building failed: unable to find valid certification path to requested target
or
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The common explanation is that the application server was installed with a self-signed SSL certificate. However the root cause is that the trust between your application and another SSL resource was not accepted. In the case of a browser session the user is asked if the certificate is OK, however applications that are not interactive there is no option but to raise a ValidatorException.

This trust is often rejected due to a SSL certification mis-match between the two sites, very often but not exclusively due to one partner using a self signed certificate and the other using a certificate signed by an 3rd party authority. Sometimes it's as simple as one of the certificates expired, many certificates, including by default self-signed certificates will expire in one year.

The certificates chains that are trusted automatically are stored in your cacerts file. There is a default keystore in $JAVA_HOME/jre/lib/security/cacerts however tomcat will also fallback to a file in the tomcat users home directory .keystore. To rule out the possibility of a wrong keystore being used its worth adding your certificate to both stores as follows

keytool -import -alias tomcat -file server.crt -keystore $HOME/.keystore (default password is changeit)
keytool -import -alias tomcat -file server.crt -keystore /usr/java/jre/lib/security/cacerts

For more details on PKIX in java check out Andreas's blog http://blogs.sun.com/andreas/entry/no_more_unable_to_find