{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 霸刀☆藐视天下 的问题《“PKIX path building failed” despite valid Verisign》','https://www.manongdao.com/q-1037786.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm having a similar problem as described here:
The Webserver I talk to updated its SSL cert and now my app can't talk to it
"PKIX path building failed" exception despite having a valid Verisign certificate.
What I don't understand is why the server works fine when I hit the same URL in a web browser.
The server is sending the whole certificate chain and I can see it in my web browser:
(Verisign root)
-> (VeriSign Class 3 Secure Server CA - G3)
-> (my server)
But for some reason, Java and OpenSSL command line tools aren't seeing it.
wget fails, and openssl s_connect only sees the intermediate "G3" certificate.
Yet IE and Chrome - no problems.
What's going on here?
Seems that
G3is not considered trusted byJavaandopensslWhat you see in the browser isn't necessarily the chain sent by the server, but it's rather the chain reconstructed by the browser. It's possible that Windows has the G3 intermediate CA as a trusted anchor, whereas the other clients don't.
To check the actual chain sent by the server, use
-showcertswiths_connect:Make sure the chain is sent in the correct order: server certificate first, followed by intermediate certificates, if required.
(Just in case, check that you're getting the correct certs, just in case you're using SNI, but using versions of Java or OpenSSL that don't support it.)
A good tool to check this is the Qualys SSL labs test.
In addition, depending on how
wgetoropensslwere installed, they often don't have a default list of trusted anchors, so you would have to give them a path to a bundle of CA certificates explicitly.This can happen because the root certificate must reside locally (on the client) in order to be trusted. If the verisign root certificate in question is not trusted locally, then it doesn't matter if it's included in the chain sent by the server - it's not trusted by the client.