[Solved] Out of the blue Java SSL Error. PKIX

Jaymer

Today on a customer's server, we tried an older routine which probably hadn't been run in a few months.
Its was a simple REST API call.
Yet it returned an odd error:
PKIX path building failed sun.security.provider.certpath.suncertpathbuilderexception
SunCertPathBuilderException: unable to find valid certification path to requested target

We had received that error a few months back when trying to connect to a MS Exchange server - and the company's admin was able to correct a certificate issue on their end, so we had to do nothing.

But I'd never seen it in relation to a REST call.
It makes sense though, because our endpoint was https:// so SSL was involved.

To fix it, I had to request a certificate:
1) Install openssl on windows
2) this hits the REST provider:

"\Program Files\OpenSSL-Win64\bin\openssl" s_client  -connect api.geocod.io:443

3) Having that provide an acceptable result, then parse that result into a .pem file:

C:\Users\Administrator>"\Program Files\OpenSSL-Win64\bin\openssl" s_client  -connect api.geocod.io:443 | "\Program Files\OpenSSL-Win64\bin\openssl" x509 -outform PEM >geocodio.pem

4) That .pem file should contain data like this now:

5) Now add that certificate to out java keystore:

C:\Users\Administrator>cd C:\AwareIM\JDK\bin
C:\AwareIM\JDK\bin>keytool -import -storepass <yourpasshere> -noprompt -alias geocodio -keystore \AwareIM\JDK\lib\security\cacerts -trustcacerts -file C:\Users\Administrator\geocodio.pem
Certificate was added to keystore

Back in the browser, ran the same program to do a REST call and it worked fine.
No idea what could have happened.
There's plenty of google results on this issue, but none that seemed like they really applied to us, but at least this got the site working again.

jaymer...

pbrad

Hey Jaymer,
I know that this post is from a couple of years ago but I am hoping that it might be somewhat fresh in you mind.

I am wanting to build out integration with Xano. The first step is to get a token back from Xano and I can easily do this in Postman. However, when I try it in AwareIM I get the error: Service provider returned the following error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I have basically followed your instructions above and from other sites.

Go to https://x8ki-letl-twmt.n7.xano.io/api:V5n5t97b in Firefox, Click on the SSL lock icon and follow steps to export .pem file
In Keytool, I ran C:\AwareIM\JDK\bin>keytool -import -storepass xxxxx -noprompt -alias xxxxx -keystore C:\AwareIM\Tomcat\conf\xxxxx -trustcacerts -file C:\xano\xano.pem and I received the result: “Certificate was added to keystore”
In Keytool I ran C:\AwareIM\JDK\bin>keytool -list -v -keystore C:\AwareIM\Tomcat\conf***** and in the return is the section:
Alias name: *.n7.xano.io
Creation date: May 10, 2022
Entry type: trustedCertEntry

Owner: CN=*.n7.xano.io
Issuer: C=US, O=Bitdefender, OU=IDS, CN=Bitdefender Personal CA.Net-Defender
Serial number: e1549426246a9cdde0fa3f17f4233ee5
Valid from: Tue Apr 12 18:43:52 UTC 2022 until: Mon Jul 11 18:43:51 UTC 2022
Certificate fingerprints:
MD5: 9F:35:1E:CB:9D:36:8E:1B:16:08:13:2C:90:80:70😃E
SHA1: 9B:AA:79:F2:AC:79:19:FF:19:91:6A:7D:7F:04:E4:E3:16:A3😃9:6B
SHA256: 5D:4A:F0:C1:32:77:ED:CB:58:FB😃2:AF:92:29:CA😃2:AE:7A😃3:B8:50:FD😃0:6B:00:5B:7F:67:78:8C:49:EE
Signature algorithm name: SHA256withECDSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.b2.xano.io
DNSName: *.e2.xano.io
DNSName: *.f2.xano.io
DNSName: *.m2.xano.io
DNSName: *.n2.xano.io
DNSName: *.n7.xano.io
DNSName: *.s2.xano.io
]

So it would appear that everything should work? However, I still get the same error. Do you have any ideas on what I might have done wrong or what steps I might try?

Cheers,
Pete

Jaymer

no idea other than whats online
https://stackoverflow.com/questions/21076179/pkix-path-building-failed-and-unable-to-find-valid-certification-path-to-requ

pbrad

Thanks for getting back to me, I appreciate it. Integrations with AwareIM are my least favourite task. This doesn't seem like rocket science but SSL is something that I generally only touch every few years and so I am no SSL expert.

pbrad

So an open call to anybody that has a degree of expertise with the keytool and SSL. As per above, I am having issues importing cacerts into the trusted zone and would really appreciate a second set of eyes on it. We would be willing to pay for a successful result if necessary.
Cheers,
Pete

hpl123

Can´t help with the specific problems Pete but can say I also had a lot of issues with this a year back or so, the old guides/tips/documentation I had and also what´s written in the forums didn´t work any longer and I couldn´t get it to work no matter what I did. In the end I gave it up and went the reverse proxy way instead so is a tip to look into and is quite easy to configure.

Regarding "real" SSL certs etc. in Aware, I would also appreciate somebody (or support?) sharing step by step with newer versions how this can be set up.

pbrad

Thanks Henrik, I will check that out.
Cheers,
Pete

pbrad

Henrik,
We use Cloudflare which I am assuming is a reverse proxy, I don't suppose that is the same one you use?
Pete

hpl123

Not sure Cloudflare can be used as a reverse proxy. I am on Windows and doing this in IIS is very easy: https://medium.com/@gusterwoei/how-to-configure-reverse-proxy-on-windows-iis-52a48b90163a . I know others use NGINX for Aware apps and can be used on different OSs I think and from what I understand equally easy to set up.