SunCertPathBuilderException: unable to find valid certification path to requested target

1. Problem

Set up a localhost Tomcat to support SSL and deployed this web service for testing. While connecting to the deployed web service over SSL connection via this URL : https://localhost:8443/HelloWorld/hello?wsdl, it hits

Terminal

javax.net.ssl.SSLHandshakeException: 
   sun.security.validator.ValidatorException: PKIX path building failed: 
   sun.security.provider.certpath.SunCertPathBuilderException: 
   unable to find valid certification path to requested target
       
Caused by: sun.security.validator.ValidatorException: 
   PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
   unable to find valid certification path to requested target
       
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: 
   unable to find valid certification path to requested target

2. Solution

The caused of the problem and solution are both well explained in this article

No more SUN
It’s on Github Now https://github.com/escline/InstallCert

P.S Creadit to users : Charles and Lúthien

2.1 Get InstallCert.java

2.2 Add Trusted Keystore
Run InstallCert.java, with your hostname and https port, and press 1 when ask for input. It will add your localhost as a trusted keystore, and generates a file jssecacerts

Terminal

C:\>java InstallCert localhost:8443
Loading KeyStore C:\Program Files\Java\jre6\lib\security\cacerts...
Opening connection to localhost:8443...
Starting SSL handshake...

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.
provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at InstallCert.main(InstallCert.java:87)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertP
athBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
        at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
        at sun.security.validator.Validator.validate(Unknown Source)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
        at InstallCert$SavingTrustManager.checkServerTrusted(InstallCert.java:182)
        ... 9 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to reques
ted target
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
        at java.security.cert.CertPathBuilder.build(Unknown Source)
        ... 15 more

Server sent 1 certificate(s):

 1 Subject CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my
   Issuer  CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my
   sha1    32 3e 15 42 96 ba e9 4d 9c 5d e7 5e 6b 0f 30 23 b4 e3 f4 98
   md5     c8 dd a1 af 9f 55 a0 7f 6e 98 10 de 8c 63 1b a5

Enter certificate to add to trusted keystore or 'q' to quit: [1]
1

[
[
  Version: V3
  Subject: CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 1024 bits
  modulus: 1129473579651954554552730664834664064459539051598864058082387115962631728819634110255367718769683451438528187
923246533854744470790959477657386037636238098777089479256059697784394926741427654735994678054030193662669088404706890444
59364523220747231216704221781747262219695262340353839314222273672957748320603247
  public exponent: 65537
  Validity: [From: Tue Dec 14 15:13:51 SGT 2010,
               To: Mon Mar 14 15:13:51 SGT 2011]
  Issuer: CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my
  SerialNumber: [    4d07192f]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 38 E4 F4 D9 51 B1 5F C1   01 13 32 79 DE 97 26 58  8...Q._...2y..&X
0010: 13 08 F1 A0 33 DB B9 90   AF EE 9E AE B9 9B 68 7D  ....3.........h.
0020: DF E8 7D 79 9D 92 24 4A   76 C9 4C 28 DA 68 B0 62  ...y..$Jv.L(.h.b
0030: FF AB 27 03 5C DD 1F C8   77 A2 25 18 DF 0C DC FD  ..'.\...w.%.....
0040: D3 39 5D 18 B4 BA 4B 36   8C FD C5 80 FF F2 E3 4D  .9]...K6.......M
0050: 0A 28 57 B9 04 D8 25 F6   FB CA DA 13 0C 36 FB 02  .(W...%......6..
0060: 9A B3 B1 28 46 D1 8E C7   D9 1A 5B CE BB A6 6F FD  ...(F.....[...o.
0070: 6D F2 35 D9 95 43 6E 38   2A 56 E7 31 21 D9 F0 90  m.5..Cn8*V.1!...

]

Added certificate to keystore 'jssecacerts' using alias 'localhost-1'

2.3 Verify Trusted Keystore
Try run the InstallCert command again, the connection should be ok now.


C:\>java InstallCert localhost:8443
Loading KeyStore jssecacerts...
Opening connection to localhost:8443...
Starting SSL handshake...

No errors, certificate is already trusted

Server sent 1 certificate(s):

 1 Subject CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my
   Issuer  CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my
   sha1    32 3e 15 42 96 ba e9 4d 9c 5d e7 5e 6b 0f 30 23 b4 e3 f4 98
   md5     c8 dd a1 af 9f 55 a0 7f 6e 98 10 de 8c 63 1b a5

Enter certificate to add to trusted keystore or 'q' to quit: [1]
q
KeyStore not changed

C:\>

2.4 Copy jssecacerts
Copy the generated jssecacerts file to your $JAVA_HOME\jre\lib\security folder.

Run your web service client again, it should be working now.

References

About the Author

author image
mkyong
Founder of Mkyong.com, love Java and open source stuff. Follow him on Twitter. If you like my tutorials, consider make a donation to these charities.

Comments

avatar
85 Comment threads
29 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
94 Comment authors
FfatherandersonvishalmkyongAnimesh SrivastavaYamuna Recent comment authors
newest oldest most voted
CodeJunkie
Guest
CodeJunkie

The above steps returns me error once I executed InsertCert as

Loading KeyStore /Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/jre/lib/security/cacerts...
Opening connection to localhost:8443...
Exception in thread "main" java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
at sun.security.ssl.SSLSocketImpl.<init>(SSLSocketImpl.java:427)
at sun.security.ssl.SSLSocketFactoryImpl.createSocket(SSLSocketFactoryImpl.java:88)
at programs.General.InstallCert.main(InstallCert.java:87)

Mohamed
Guest
Mohamed

I have added the certificates to jssecacerts and checked the jssecacerts and my certificates are listed . but i still get the same error.

vignesh kumar
Guest
vignesh kumar

G:>java InstallCert localhost:7070

Hi Guys am getting this error. please help me..

Loading KeyStore G:JDK7.0jrelibsecuritycacerts…

Opening connection to localhost:7070…

Starting SSL handshake…

javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?

at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java

)

at sun.security.ssl.InputRecord.read(InputRecord.java:504)

at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketI

java:1312)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:

)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:

)

at InstallCert.main(InstallCert.java:57)

Could not obtain server certificate chain

G:>

John
Guest
John
Charles
Guest
Charles

https://github.com/escline/InstallCert

I have used this generator and works fine!

Lúthien
Guest
Lúthien

Brilliant! This issue fazed me for some time, but got it fixed via this article .. just update the link to the utility, it’s on Github now: https://github.com/escline/InstallCert/issues

trackback
How to bypass certificate checking in a Java web service client

[…] SunCertPathBuilderException: unable to find valid certification path to requested target […]

trackback
SSL Mutual Authentication Issue - - Coding Answers

[…] http://www.mkyong.com/webservices/jax-ws/suncertpathbuilderexception-unable-to-find-valid-certificat… This created jssecacerts file. I merged this with #1. keytool.exe” -importkeystore -srckeystore jssecacerts -destkeystore newKeystore.jks -srcstorepass <passwd> -deststorepass <password> […]

Frederic DEBARD
Guest
Frederic DEBARD

Great ! Smart How To.

Jason
Guest
Jason

I want java program connect to VMware Ubuntu PostgreSQL database using JDBC with SSL. String url = “jdbc:postgresql://192.168.235.128:5432/lincdoc”; Properties props = new Properties(); props.setProperty(“user”,”demo.data”); props.setProperty(“password”,”aCTqjR3H”); props.setProperty(“ssl”,”true”); connection = DriverManager.getConnection(url, props); But hit error : Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target So i follow this post to solve the problem http://www.mkyong.com/webservices/jax-ws/suncertpathbuilderexception-unable-to-find-valid-certification-path-to-requested-target/comment-page-1/#comment-72715 But hit another error : D:\Project\InstallCert\src>java com.aw.ad.util.InstallCert 192.168.235.128:8443 Loading KeyStore C:\Program Files\Java\jre6\lib\security\cacerts… Opening connection to 192.168.235.128:8443… Exception in thread “main” java.net.ConnectException: Connection refused: connec t at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.PlainSocketImpl.doConnect(Unknown Source) at java.net.PlainSocketImpl.connectToAddress(Unknown Source) at java.net.PlainSocketImpl.connect(Unknown Source) at java.net.SocksSocketImpl.connect(Unknown Source) at java.net.Socket.connect(Unknown Source) at… Read more »

trackback
Add SSL Certificate to Plumtree Publisher JRE « WebCenter Interaction, ALUI, Plumtree blog by Integryst

[…] import the SSL certificate from the imageserver – is after the break. [Credit goes to mkyong for outlining the majority of the procedure. The link for the code referenced there was broken, so […]

Clydefrog
Guest
Clydefrog

Nice tutorial Yong!

The website “http://blogs.sun.com/andreas/resource/InstallCert.java” doesn’t work anymore, though. Try this one instead: http://code.google.com/p/java-use-examples/source/browse/#svn%2Ftrunk%2Fsrc%2Fcom%2Faw%2Fad%2Futil%253Fstate%253Dclosed

Satya
Guest
Satya

Hello,
Is the “Java InstallCert” command need to run on the webserver where the JSP page is running OR on the user machine where the user is accessing the JSP page.
Thank you.
Satya

trackback
Query on jvm truststore and jssecacerts file? | PHP Developer Resource

[…] certificate in JAVA-HOME/jre/lib/security . To do the same , I have followed the steps given at http://www.mkyong.com/webservices/jax-ws/suncertpathbuilderexception-unable-to-find-valid-certificat…. Same steps are suggested across the different forums. But still i get the same SSL handshake error […]

Mahesh
Guest
Mahesh

When connecting to our client production server from our production server over https, we are getting exception as java.net.SocketException: java.lang.ClassNotFoundException: org.ab
logic.search.AllTrustSSLSocketFactory

Please help on this.

trackback
Java - Keystore Import (InstallCert.java) - Stan Kiselev Project
Infotechie
Guest
Infotechie

Hi Yong,

Nice Tutorial.But I am still getting the same problem. My client is able to connect to server without any error/exception. In My application we are generating a pdf from a Html file. Now, when this pdf is generated error is coming at that point.
No certificate error is coming on Web Browser.

Please provide your valuable suggestions.

Thanks.

ET Andes
Guest
ET Andes

Thanks a lot. As always, you’ve been a great help.

Nikolay
Guest
Nikolay

The web links are not working.

Tsadhate
Guest
Tsadhate

Thanks for this, it was really useful to me 🙂

Tsadhate
Guest
Tsadhate
Anu
Guest
Anu

While running with the following command C:\>java InstallCert localhost:8443 I am getting the following exception Loading KeyStore C:\Program Files\Java\jre7\lib\security\cacerts... Exception in thread "main" java.lang.NoClassDefFoundError: InstallCert$SavingTrustManager at InstallCert.main(InstallCert.java:88) Caused by: java.lang.ClassNotFoundException: InstallCert$SavingTrustManager at java.net.URLClassLoader$1.run(Unknown Source) at java.net.URLClassLoader$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) ... 1 more

William Valencia
Guest
William Valencia

Please update the links, these display 404 not found messages

trackback
SOAP Webservice is giving the below error | BlogoSfera

[…] Generating certificate using http://www.mkyong.com/webservices/jax-ws/suncertpathbuilderexception-unable-to-find-valid-certificat…, but still getting the […]

subash
Guest
subash

While running with the following command C:\>java InstallCert localhost:8443 I am getting the following exception C:\>java InstallCert localhost:8080 Loading KeyStore C:\Program Files\Java\jre1.7.0\lib\security\cacerts… Opening connection to localhost:8080… Starting SSL handshake… javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? at sun.security.ssl.InputRecord.handleUnknownRecord(Unknown Source) at sun.security.ssl.InputRecord.read(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at InstallCert.main(InstallCert.java:87) Could not obtain server certificate chain Please attach the solution for this exception?

paramesh
Guest
paramesh

C:\Users\291767>java InstallCert localhost:8443 Loading KeyStore C:\Program Files\Java\jre7\lib\security\cacerts… Opening connection to localhost:8443… Exception in thread “main” java.net.ConnectException: Connection refused: connec t at java.net.DualStackPlainSocketImpl.connect0(Native Method) at java.net.DualStackPlainSocketImpl.socketConnect(Unknown Source) at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source) at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source) at java.net.AbstractPlainSocketImpl.connect(Unknown Source) at java.net.PlainSocketImpl.connect(Unknown Source) at java.net.SocksSocketImpl.connect(Unknown Source) at java.net.Socket.connect(Unknown Source) at sun.security.ssl.SSLSocketImpl.connect(Unknown Source) at sun.security.ssl.SSLSocketImpl.(Unknown Source) at sun.security.ssl.SSLSocketFactoryImpl.createSocket(Unknown Source) at InstallCert.main(InstallCert.java:94) Am getting this above exception can u please give me a solution?

Ramesh V
Guest
Ramesh V

Hi Yong,
I followed your steps as mentioned in the above.
Now i am able to create the certificate. I did Copy the generated “jssecacerts” file to your “$JAVA_HOME\jre\lib\security” folder.
Still i am getting same error:
D:\MyStuff\TestCIMSweb>wsimport -p com.merge.cims.plugin -s src -d bin https://192.168.5.22/bah1100203_test/cimsservices/viewjob.svc?wsdl

error: failed to parse document at “https://192.168.5.22/bah1100203_test/cimsservices/viewjob.svc?wsdl”: javax.net.ssl.SSLHandshakeExcept
ion: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unabl
e to find valid certification path to requested target

can you any suggestions if i miss any thing.
Thank You

trackback
How to add Certificate to Apache Tomcat

[…] AGAIN, just trying to look up the error brings up LOTS of solutions, if you bothered to look: http://www.mkyong.com/webservices/ja…uested-target/ […]

sri
Guest
sri

C:\cert>java InstallCert localhost:8080 Loading KeyStore C:\Program Files\Java\jre7\lib\security\cacerts… Opening connection to localhost:8080… Starting SSL handshake… Exception in thread “main” java.net.SocketTimeoutException: Read timed out at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.read(Unknown Source) at java.net.SocketInputStream.read(Unknown Source) at sun.security.ssl.InputRecord.readFully(Unknown Source) at sun.security.ssl.InputRecord.read(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source ) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at InstallCert.main(InstallCert.java:87) I have got the above exception can any one help?