PKIX path building failed: sun.security.provider.c

2019-03-28 06:16发布

站内问答 / 前沿技术
1163 2 6

I am making Webservice call thru TLS connection(https) in Tomcat 7.x

While calling the WebService, I am getting following Error. What would be the issue? I have tried creating Certificates and CA.

FYI - https://sites.google.com/site/ddmwsst/create-your-own-certificate-and-ca

I imported CA certificate and other certificates and still I am getting this issue. Please advice.

Caused by: javax.wsdl.WSDLException: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://localhost:8443/myDomain/MyService?wsdl'.: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:92)
... 37 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1902)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1032)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1328)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1299)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
    at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(XMLEntityManager.java:632)
    at com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(XMLVersionDetector.java:189)
    at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:799)
    at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:764)
    at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:123)
    at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:237)
    at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:300)
    ... 43 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
    ... 61 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)

I am testing Certificates by creating locally. So I followed these steps.

Keys>keytool -genkey -alias TLS -keystore TLSKeyStore.jks -keyalg RSA -sigalg SHA1withRSA Keys>keytool -export -alias TLS -file TLS.cer -keystore TLSKeyStore.jks Keys>keytool -certreq -alias TLS -keystore TLSKeyStore.jks -file TLS.csr

CA>set RANDFILE=rand

CA>openssl req -new -keyout TLSkey.pem -out TLSreq.pem -config C:\OpenSSL-Win64\bin\openssl.cfg

CA>openssl x509 -signkey TLSkey.pem -req -days 3650 -in TLSreq.pem -out TLSroot.cer -extensions v3_ca

CA>openssl x509 -CA TLSroot.cer -CAkey TLSkey.pem -CAserial serial.txt -req -in ../Keys/TLS.csr -out ../Keys/TLSTestCA.cer -days 365

Keys>keytool -import -alias TLSCA -file ../CA/TLSroot.cer -keystore TLSKeyStore.jks Keys>keytool -import -alias TLS -file TLSTestCA.cer -keystore TLSKeyStore.jks

2条回答
唯我独甜
2楼-- · 2019-03-28 06:33

Finally I got the way to solve this issue.

Refer this InstallCert.java in this link. Run this program as Standalone by passing arguments as localhost:9443 and Program creates jssecacerts file under eclipse. Copy this jssecacerts file into your JDK_HOME\jre\lib\security\ folder. That should solve the issue

Happy TLS setup!!!

查看更多
0人赞 添加讨论(0) 举报
干净又极端
3楼-- · 2019-03-28 06:52

Here's an overall summary of how to import certificates to fix the following error:

Error while trying to execute request. javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

How to import certificates

  1. Go to URL in your browser, click on HTTPS certificate chain (little lock symbol next to URL address) to export the certificate
    • Click "more info" > "security" > "show certificate" > "details" > "export..".
    • Save as .der
    • Repeat for any certificates you need to import
  2. Locate $JAVA_HOME/jre/lib/security/cacerts

  3. Import all *.der files into the cacerts file using the following:

    sudo keytool -import -alias mysitestaging -keystore $JAVA_HOME/jre/lib/security/cacerts -file staging.der
sudo keytool -import -alias mysiteprod -keystore  $JAVA_HOME/jre/lib/security/cacerts -file prod.der
sudo keytool -import -alias mysitedev -keystore  $JAVA_HOME/jre/lib/security/cacerts -file dev.der

  4. The default keystore password is 'changeit'

  5. You can view the change that you made with this command that shows the Certificate fingerprint.

    keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts

  6. If this doesn't solve the problem, try adding these java options as arguments:

    -Djavax.net.ssl.trustStore="$JAVA_HOME/jre/lib/security/cacerts"
-Djavax.net.ssl.trustStorePassword="changeit"

My guess is that you might have missed a step. I was having the same error until I realized I imported the wrong certificate

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)