Restcall fails because JVM says it is unable to find valid certification path to requested target
When consuming webservices, sometimes the JVM says it is "unable to find valid certification path to requested target". The publishing server, tieka.nl, has a valid certificate from authority 'Let'sEncrypt'. I have no way to retreive the certificate, can not download it from any browser and the provider does not give it to me. Also, how should I make the certificate known to the JVM? It is the second time that I come across this problem. Previous one was with consuming a service of BAG, Basisregistratie adressen en gebouwen, a governmental institute, so maximum trustworthy. Their certificate comes from authority Quovadis. So it is not likely that the problem is the certificate. Apparently JVM does not find the certificate. In other words, how can I solve this problem? com.mendix.modules.microflowengine.MicroflowException: Error calling REST service at PostalcodeHousenumber.ACT_LUTieka_Get_AddressData (CallRest : 'Call REST PDOK/suggest postcode+huisnummerRecieve address-id') at PostalcodeHousenumber.SUB_Address_GetList (SubMicroflow : 'ACT_LUTieka_Get_AddressData') at PostalcodeHousenumber.ACT_Call_Address_GetSingleAddress (SubMicroflow : 'SUB_Address_GetList') Advanced stacktrace: at com.mendix.integration.actions.microflow.RestCallAction.execute(RestCallAction.scala:48) Caused by: com.mendix.systemwideinterfaces.MendixRuntimeException: java.security.PrivilegedActionException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.mendix.integration.util.PrivilegedUtil$.withPrivileged(PrivilegedUtil.scala:15)
Tim van Steenbergen
See this link for a discussion about how the root CA isn't trusted by Java by default. You'll need to upload the root CA into your modeler and the cloud portal. I was able to download this CA using Chrome. This was on a Mac so it's possible the end of the instructions might change slightly. It's the same general process though.
When I try to go to the URL you specified, I ended up here:
Upload this in your app, see here for documentation on certificate uploading etc.
For the doc that "test qert" mentioned: here (/howto/integration/use-a-client-certificate). Since at Tieka the certificate is not password-protected, this procedure is far simpeler than the docs describe. Better is:
+Some services require you to authenticate using a client certificate. A certificate can be public or protected with password.
+### A public certificate:
+- can get downloaded using the any browser,
+- saved as a .cer-file or a .P7B-file,
+- uploaded in the Project->Settings tab Certificates.
+And your project is ready for use.
+### A password protected certificate:
+If the certificate is password protected then downloading the certificate from the brower will get you a different filetype: .pfx. This how-to describes how to configure your app to use certificates of pfx-filetype.