[Solved] Out of the blue Java SSL Error. PKIX

If you have questions or if you want to share your opinion about Aware IM post your message on this forum
Post Reply
Jaymer
Posts: 2430
Joined: Tue Jan 13, 2015 10:58 am
Location: Tampa, FL
Contact:

[Solved] Out of the blue Java SSL Error. PKIX

Post by Jaymer »

Today on a customer's server, we tried an older routine which probably hadn't been run in a few months.
Its was a simple REST API call.
Yet it returned an odd error:
PKIX path building failed sun.security.provider.certpath.suncertpathbuilderexception
SunCertPathBuilderException: unable to find valid certification path to requested target

We had received that error a few months back when trying to connect to a MS Exchange server - and the company's admin was able to correct a certificate issue on their end, so we had to do nothing.

But I'd never seen it in relation to a REST call.
It makes sense though, because our endpoint was https:// so SSL was involved.

To fix it, I had to request a certificate:
1) Install openssl on windows
2) this hits the REST provider:

Code: Select all

"\Program Files\OpenSSL-Win64\bin\openssl" s_client  -connect api.geocod.io:443
3) Having that provide an acceptable result, then parse that result into a .pem file:

Code: Select all

C:\Users\Administrator>"\Program Files\OpenSSL-Win64\bin\openssl" s_client  -connect api.geocod.io:443 | "\Program Files\OpenSSL-Win64\bin\openssl" x509 -outform PEM >geocodio.pem
4) That .pem file should contain data like this now:

Code: Select all

-----BEGIN CERTIFICATE-----
MIIFTzCCBDegAwIBAgISA7R7XTy7BP8hM+8ZZSPYVGgjMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA2MTkxNjE0MzNaFw0x
OTA5MTcxNjE0MzNaMBYxFDASBgNVBAMMCyouZ2VvY29kLmlvMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxwN6MwORMmVurxD3upT5OoKFIo1RxGCqR9YH
H+mpBCU2FXwlrAhQkbXCmTvTBCj1652hlq8mP2K5rgH2GOH4zNFZMuN4M69mT0Uc
cqLZzm7jTXa4lBWQcLsKtRZuNEh57gh9w1Ks5SEM4XxF3Le2nC2EPg3JcYtVp0rl
kda70g3mHJNnVifmVx1miqq2AsrUDCBSvKLOAOvp9h4ZsehbdPOkF0yu2mcP+6Y/
DuzkSt/l5EmKjTG8ZTnR8xTLCC5izQB1QihTPaRLkoakemcJ3QSOZ9qHHkQkAnCb
cr+3UNKzT1xAfx8vXMo1+bFvysGt7uNK1bSZPOyvVTTiSnFJhwIDAQABo4ICYTCC
Al0wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBR6M9oRMRw4oDx/jG/+drfTxm/TozAf
BgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEw
LgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcw
LwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcv
MBYGA1UdEQQPMA2CCyouZ2VvY29kLmlvMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcG
CysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5
cHQub3JnMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHcAdH7agzGtMxCRIZzOJU9C
cMK//V5CIAjGNzV55hB7zFYAAAFrcLuhNgAABAMASDBGAiEAyPI2Ttfulz5HontK
OYKzjN+KeOJGou2WfBziYizoOxgCIQD1pSQJXg2LG+oTm2RV/Bd9wy2tb5rleIgL
WhqsCQOWUAB2ACk8UZZUyDlluqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAABa3C7
oSUAAAQDAEcwRQIhAI4OmCexzbEjViWUdI8yB4V4RI5sbDVf+VLxP66YPwlVAiAx
LJOfCGE03XI4YHbsMghlU8mUI6ElyG1Xmmy5ItCU+TANBgkqhkiG9w0BAQsFAAOC
Or3lrFtmxWU5SmmfmNy39efYxfZjbKFGKeAZtBZ/+KA+dOg2lm671YJy6wblTuGA
aL78gPNlE6MuEajX2nAvQ5CYDt8IPOOK/G/gIJPfpxkrLgJPF/KrZZn+dBslgkaz
HQhXKTscdyUhkp+O58FmoqESEEB9qx9owBBm7nI1R8U3kqAWyGkIad1x397cQ4pQ
L3zHvB6cXiy3SULyPlxozzAygA==
-----END CERTIFICATE-----
5) Now add that certificate to out java keystore:

Code: Select all

C:\Users\Administrator>cd C:\AwareIM\JDK\bin
C:\AwareIM\JDK\bin>keytool -import -storepass <yourpasshere> -noprompt -alias geocodio -keystore \AwareIM\JDK\lib\security\cacerts -trustcacerts -file C:\Users\Administrator\geocodio.pem
Certificate was added to keystore
Back in the browser, ran the same program to do a REST call and it worked fine.
No idea what could have happened.
There's plenty of google results on this issue, but none that seemed like they really applied to us, but at least this got the site working again.

jaymer...
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.

Jaymer
Aware Programming & Consulting - Tampa FL
pbrad
Posts: 781
Joined: Mon Jul 17, 2006 11:03 pm
Location: Ontario, Canada

Re: [Solved] Out of the blue Java SSL Error. PKIX

Post by pbrad »

Hey Jaymer,
I know that this post is from a couple of years ago but I am hoping that it might be somewhat fresh in you mind.

I am wanting to build out integration with Xano. The first step is to get a token back from Xano and I can easily do this in Postman. However, when I try it in AwareIM I get the error: Service provider returned the following error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I have basically followed your instructions above and from other sites.
1. Go to https://x8ki-letl-twmt.n7.xano.io/api:V5n5t97b in Firefox, Click on the SSL lock icon and follow steps to export .pem file
2. In Keytool, I ran C:\AwareIM\JDK\bin>keytool -import -storepass xxxxx -noprompt -alias xxxxx -keystore C:\AwareIM\Tomcat\conf\xxxxx -trustcacerts -file C:\xano\xano.pem and I received the result: “Certificate was added to keystore”
3. In Keytool I ran C:\AwareIM\JDK\bin>keytool -list -v -keystore C:\AwareIM\Tomcat\conf\***** and in the return is the section:
Alias name: *.n7.xano.io
Creation date: May 10, 2022
Entry type: trustedCertEntry

Owner: CN=*.n7.xano.io
Issuer: C=US, O=Bitdefender, OU=IDS, CN=Bitdefender Personal CA.Net-Defender
Serial number: e1549426246a9cdde0fa3f17f4233ee5
Valid from: Tue Apr 12 18:43:52 UTC 2022 until: Mon Jul 11 18:43:51 UTC 2022
Certificate fingerprints:
MD5: 9F:35:1E:CB:9D:36:8E:1B:16:08:13:2C:90:80:70:DE
SHA1: 9B:AA:79:F2:AC:79:19:FF:19:91:6A:7D:7F:04:E4:E3:16:A3:D9:6B
SHA256: 5D:4A:F0:C1:32:77:ED:CB:58:FB:D2:AF:92:29:CA:D2:AE:7A:D3:B8:50:FD:D0:6B:00:5B:7F:67:78:8C:49:EE
Signature algorithm name: SHA256withECDSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.b2.xano.io
DNSName: *.e2.xano.io
DNSName: *.f2.xano.io
DNSName: *.m2.xano.io
DNSName: *.n2.xano.io
DNSName: *.n7.xano.io
DNSName: *.s2.xano.io
]

So it would appear that everything should work? However, I still get the same error. Do you have any ideas on what I might have done wrong or what steps I might try?

Cheers,
Pete
Pete Bradstreet
Contract developer of commercialized applications

AwareIM Ver. 8.2
Jaymer
Posts: 2430
Joined: Tue Jan 13, 2015 10:58 am
Location: Tampa, FL
Contact:

Re: [Solved] Out of the blue Java SSL Error. PKIX

Post by Jaymer »

Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.

Jaymer
Aware Programming & Consulting - Tampa FL
pbrad
Posts: 781
Joined: Mon Jul 17, 2006 11:03 pm
Location: Ontario, Canada

Re: [Solved] Out of the blue Java SSL Error. PKIX

Post by pbrad »

Thanks for getting back to me, I appreciate it. Integrations with AwareIM are my least favourite task. This doesn't seem like rocket science but SSL is something that I generally only touch every few years and so I am no SSL expert.
Pete Bradstreet
Contract developer of commercialized applications

AwareIM Ver. 8.2
pbrad
Posts: 781
Joined: Mon Jul 17, 2006 11:03 pm
Location: Ontario, Canada

Re: [Solved] Out of the blue Java SSL Error. PKIX

Post by pbrad »

So an open call to anybody that has a degree of expertise with the keytool and SSL. As per above, I am having issues importing cacerts into the trusted zone and would really appreciate a second set of eyes on it. We would be willing to pay for a successful result if necessary.
Cheers,
Pete
Pete Bradstreet
Contract developer of commercialized applications

AwareIM Ver. 8.2
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: [Solved] Out of the blue Java SSL Error. PKIX

Post by hpl123 »

Can´t help with the specific problems Pete but can say I also had a lot of issues with this a year back or so, the old guides/tips/documentation I had and also what´s written in the forums didn´t work any longer and I couldn´t get it to work no matter what I did. In the end I gave it up and went the reverse proxy way instead so is a tip to look into and is quite easy to configure.

Regarding "real" SSL certs etc. in Aware, I would also appreciate somebody (or support?) sharing step by step with newer versions how this can be set up.
Henrik (V8 Developer Ed. - Windows)
pbrad
Posts: 781
Joined: Mon Jul 17, 2006 11:03 pm
Location: Ontario, Canada

Re: [Solved] Out of the blue Java SSL Error. PKIX

Post by pbrad »

Thanks Henrik, I will check that out.
Cheers,
Pete
Pete Bradstreet
Contract developer of commercialized applications

AwareIM Ver. 8.2
pbrad
Posts: 781
Joined: Mon Jul 17, 2006 11:03 pm
Location: Ontario, Canada

Re: [Solved] Out of the blue Java SSL Error. PKIX

Post by pbrad »

Henrik,
We use Cloudflare which I am assuming is a reverse proxy, I don't suppose that is the same one you use?
Pete
Pete Bradstreet
Contract developer of commercialized applications

AwareIM Ver. 8.2
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: [Solved] Out of the blue Java SSL Error. PKIX

Post by hpl123 »

Not sure Cloudflare can be used as a reverse proxy. I am on Windows and doing this in IIS is very easy: https://medium.com/@gusterwoei/how-to-c ... a48b90163a . I know others use NGINX for Aware apps and can be used on different OSs I think and from what I understand equally easy to set up.
Henrik (V8 Developer Ed. - Windows)
Post Reply