unable to find a valid certification path to requested target

Asked 19/8, 2020 at 7:52 Answered 5/9, 2023 at 11:2

java spring spring-boot validation resttemplate

I am making a post request using a restTemplate and I am getting the following error: unable to find a valid certification path to requested target

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'transformToListClass': Invocation of init method failed; nested exception is java.lang.RuntimeException: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://emploenefitsdev/rion/v1/rion/": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: java.lang.RuntimeException: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://emploenefitsdev/rion/v1/rion/": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://emploenefitsdev/rion/v1/rion/": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

And my method below:

    public ImageDescriptor generateImage(String payLoad, String templateName, String slogPrefix) {
        try {
            ImageDescriptor descriptor = new ImageDescriptor();

            String myEUrl = "https://emploenefitsdev/rion/v1/rion/";
            String eURL = myUrl.concat(Constant.F_SLASH).concat(templateName);

            log.info("payload" + payLoad);

            ResponseEntity<Resource> responseEntity = restTemplate.exchange(
                    eURL,
                    HttpMethod.POST,
                    niService.getStringHttpEntityWithPayload(payLoad),
                    Resource.class);
            log.info(String.format("%s generateImage Result: [%s] ", slogPrefix, responseEntity.getStatusCode()));
            descriptor.setInputStream(Objects.requireNonNull(responseEntity.getBody()).getInputStream());

            convert(responseEntity.getBody().getInputStream(), "sherrr.pdf");

            log.info("file is:"+ convert(responseEntity.getBody().getInputStream(), "sherrr.pdf"));


            return descriptor;
        } catch (IOException e) {
            e.printStackTrace();
            log.error("Error: " + slogPrefix + " generate image failed " + e.getMessage());
            throw new RuntimeException(e);
        }
    }

Infraction answered 19/8, 2020 at 7:52 Comment(0)

The request is failing while making a connection from client to the server. The reason behind the failure is client inability to validate the server's identity/certificate. During the client-server handshaking process, the client needs issuer/root certificates to validate the server's identity. Most of the root certificates issued from well-known trusted authorities are shipped with the JDK, and present in the Keystore file, called cacerts.

Let's talk about your case. It could potentially fall into one of the following categories.

Server is using certificate issued from the certificate authority whose root and intermediate certificates are not present in the JDK.
Server is using a certificate issued from in house CA.
Server is using a self-signed certificate.

You need to add the root and intermediate certificates to the java cacerts key store.

One way to obtain the root and intermediate certificates by visiting the server site in the browser. Click on the secure lock pad in the url bar and explore the certificate option. You need to export the root and intermediate certificate by using the copy option and save the cert file on your system.

Go to the location eg: C:\Program Files\Java\jdk1.8.0_121\jre\lib\security where the cacerts is present and open the command prompt to execute the following command.

keytool -import -alias -aliasName -file pathToRootCA.crt -keystore cacerts

The default password is changeit

Foofaraw answered 19/8, 2020 at 16:15 Comment(3)

In my case Server has a CA signed certificate, why I need to do this manually? Any option in java code. – Expediential 1/4, 2021 at 7:53

If client has the server's root and intermediates certificates then instead of adding it to java default truststore, one can programmatically create the custom truststore in java inside the app. – Foofaraw 3/4, 2021 at 9:8

This should be flagged as the answer. I've seen some responses about the same issue, but none of them were clear as this one. – Lund 27/10, 2021 at 15:25

If cacerts include the Root CA certificate and still you see the error, ensure that your java program is picking up the correct keystore. It can happen that it is picking up another keystore other than cacerts.

Palomino answered 10/1, 2023 at 6:43 Comment(0)

For those who are using open jdk, you can run the below command:

sudo keytool -import -trustcacerts -keystore /opt/homebrew/Cellar/openjdk\@17/17.0.8/libexec/openjdk.jdk/Contents/Home/lib/security/cacerts -storepass {your store password if any} -noprompt -alias {any random name alias} -file {your path to certificate.cer}

Replace the jdk version above based on what you had installed on your machine. If you want to change the default java version, you can run /usr/libexec/java_home -v 17. Replace 17 with the desired version

In order to download a certificate of a URL, do the following:

Open the URL in chrome, click on the lock button which is at the start of the address bar
Click on "Connection is secure"
And then click on "Certificate is valid" on which a pop-up comes up
Go to Details tab and click on Export on which the certificate will be downloaded

Cymatium answered 5/9, 2023 at 11:2 Comment(0)

Recommended topics

Hot tags