*SOLVED* PKIX path building failed.

If you have questions or if you want to share your opinion about Aware IM post your message on this forum
Post Reply
rocketman
Posts: 1254
Joined: Fri Jan 02, 2009 11:22 pm
Location: Preston UK
Contact:

*SOLVED* PKIX path building failed.

Post by rocketman »

Anybody know what this is and how to fix?

Service provider returned the following error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

Scenario. I'm running two Business spaces on my testing server. I have a spare domain name which I am pointing at the server. BS1 consumes a REST service, BS2 exposes a REST service. If I paste the url to BS2 into a browser address bar, I get the data returned that I am expecting, but when I try to call the service from BS1, I get the above message.

The server certificate is valid
Last edited by rocketman on Mon Mar 25, 2024 11:54 pm, edited 7 times in total.
Rocketman

V8.7 Developer Edition. Server 2016 Standard edition. MySql 5.5
joben
Posts: 235
Joined: Wed Nov 06, 2019 9:49 pm
Location: Sweden
Contact:

Re: PKIX path building failed.

Post by joben »

Could you please confirm that the certificate chain is valid?

This tool should do the trick: (this assumes that your application is accessible from the internet)
https://decoder.link/sslchecker

Oftentimes when I have seen SSL certificate errors where only certain clients had problems accessing it, it had to do with a faulty chain.
Regards, Joakim

Image
rocketman
Posts: 1254
Joined: Fri Jan 02, 2009 11:22 pm
Location: Preston UK
Contact:

Re: PKIX path building failed.

Post by rocketman »

joben wrote: Mon Mar 25, 2024 1:06 pm Could you please confirm that the certificate chain is valid?

This tool should do the trick: (this assumes that your application is accessible from the internet)
https://decoder.link/sslchecker

Oftentimes when I have seen SSL certificate errors where only certain clients had problems accessing it, it had to do with a faulty chain.
Hi, It says the chain doesn't contain any intermediate certificates
Rocketman

V8.7 Developer Edition. Server 2016 Standard edition. MySql 5.5
joben
Posts: 235
Joined: Wed Nov 06, 2019 9:49 pm
Location: Sweden
Contact:

Re: PKIX path building failed.

Post by joben »

Bingo.
The intermediate certificate is often included as a separate file when you get it from your provider. Otherwise you can just download it from their website.

If you are lucky you can just open your certificate files in notepad and see text like this:
-----BEGIN CERTIFICATE-----
yadayadayada
-----END CERTIFICATE-----

Then you can just paste the contents of the intermediate certificate file underneath it.

But if it is pfx format or similar you will need to do extra steps because that thing can't just be edited.
You will also have to restart your Tomcat server for the changes to take place.

Hope this will lead you in the right direction.
Regards, Joakim

Image
rocketman
Posts: 1254
Joined: Fri Jan 02, 2009 11:22 pm
Location: Preston UK
Contact:

Re: PKIX path building failed.

Post by rocketman »

joben wrote: Mon Mar 25, 2024 1:32 pm Bingo.
The intermediate certificate is often included as a separate file when you get it from your provider. Otherwise you can just download it from their website.

Just reactivating my cert now. It's a cheapo from https://www.ssls.com/ If memory serves, I have to create a TXT record in my service provider's DNS section to point to the intermediate. Will keep you posted, thanks for the tips
Rocketman

V8.7 Developer Edition. Server 2016 Standard edition. MySql 5.5
rocketman
Posts: 1254
Joined: Fri Jan 02, 2009 11:22 pm
Location: Preston UK
Contact:

Re: PKIX path building failed.

Post by rocketman »

joben wrote: Mon Mar 25, 2024 1:32 pm Bingo.
The intermediate certificate is often included as a separate file when you get it from your provider. Otherwise you can just download it from their website.
All fixed and busy writing up notes for 10 month's time when I need to renew the cert ('cos I'll have forgotten by then.) It would seem that initially I installed a "Trusted Certificate" I got with the original download - which was really basic but satisfied the requirements for simple SSL. There must have been a private key sent separately via email (which I cannot now find) that would have allowed me to install the private key and the CA-Bundle as a key pair. Fortunately I was able to extract the private key from the current keystore and use it to generate a new keystore with the CA-Bundle. I'm learning slowly and will get there eventually :roll:

So now in the logs I'm seeing the exposing BS (BS2) correctly do the search, get the results I expect, create the abridged records for sending to BS1 - but nothing comes across - ("Service provider returned the following error: null") but now at least I can do some debugging.

Just one question if I may. When exposing a REST service (BS2)- where do I find the API key that I need to enter into the consuming server? (BS1). Can't find that in any of Vlad's videos
Rocketman

V8.7 Developer Edition. Server 2016 Standard edition. MySql 5.5
rocketman
Posts: 1254
Joined: Fri Jan 02, 2009 11:22 pm
Location: Preston UK
Contact:

Re: *SOLVED* PKIX path building failed.

Post by rocketman »

All issues resolved - many thanks to Joben for his speedy (and accurate) response
Rocketman

V8.7 Developer Edition. Server 2016 Standard edition. MySql 5.5
joben
Posts: 235
Joined: Wed Nov 06, 2019 9:49 pm
Location: Sweden
Contact:

Re: *SOLVED* PKIX path building failed.

Post by joben »

Glad to hear!

I suggest opening a new thread regarding the API question so that others can find it easier.
Regards, Joakim

Image
Post Reply