*SOLVED* PKIX path building failed.

[rocketman]

Anybody know what this is and how to fix?

Service provider returned the following error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

Scenario. I'm running two Business spaces on my testing server. I have a spare domain name which I am pointing at the server. BS1 consumes a REST service, BS2 exposes a REST service. If I paste the url to BS2 into a browser address bar, I get the data returned that I am expecting, but when I try to call the service from BS1, I get the above message.

The server certificate is valid

[joben]

Could you please confirm that the certificate chain is valid?

This tool should do the trick: (this assumes that your application is accessible from the internet)
https://decoder.link/sslchecker

Oftentimes when I have seen SSL certificate errors where only certain clients had problems accessing it, it had to do with a faulty chain.

[rocketman]

Could you please confirm that the certificate chain is valid?

This tool should do the trick: (this assumes that your application is accessible from the internet)
https://decoder.link/sslchecker

Oftentimes when I have seen SSL certificate errors where only certain clients had problems accessing it, it had to do with a faulty chain.

Hi, It says the chain doesn't contain any intermediate certificates

[joben]

Bingo.
The intermediate certificate is often included as a separate file when you get it from your provider. Otherwise you can just download it from their website.

If you are lucky you can just open your certificate files in notepad and see text like this:
-----BEGIN CERTIFICATE-----
yadayadayada
-----END CERTIFICATE-----

Then you can just paste the contents of the intermediate certificate file underneath it.

But if it is pfx format or similar you will need to do extra steps because that thing can't just be edited.
You will also have to restart your Tomcat server for the changes to take place.

Hope this will lead you in the right direction.

[rocketman]

Bingo.
The intermediate certificate is often included as a separate file when you get it from your provider. Otherwise you can just download it from their website.

Just reactivating my cert now. It's a cheapo from https://www.ssls.com/ If memory serves, I have to create a TXT record in my service provider's DNS section to point to the intermediate. Will keep you posted, thanks for the tips

[rocketman]

Bingo.
The intermediate certificate is often included as a separate file when you get it from your provider. Otherwise you can just download it from their website.

All fixed and busy writing up notes for 10 month's time when I need to renew the cert ('cos I'll have forgotten by then.) It would seem that initially I installed a "Trusted Certificate" I got with the original download - which was really basic but satisfied the requirements for simple SSL. There must have been a private key sent separately via email (which I cannot now find) that would have allowed me to install the private key and the CA-Bundle as a key pair. Fortunately I was able to extract the private key from the current keystore and use it to generate a new keystore with the CA-Bundle. I'm learning slowly and will get there eventually

So now in the logs I'm seeing the exposing BS (BS2) correctly do the search, get the results I expect, create the abridged records for sending to BS1 - but nothing comes across - ("Service provider returned the following error: null") but now at least I can do some debugging.

Just one question if I may. When exposing a REST service (BS2)- where do I find the API key that I need to enter into the consuming server? (BS1). Can't find that in any of Vlad's videos

[rocketman]

All issues resolved - many thanks to Joben for his speedy (and accurate) response

[joben]

Glad to hear!

I suggest opening a new thread regarding the API question so that others can find it easier.