javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Hi all, We have an on premise application, 3 environments, dev, uat and prod. The application has an intergration with a reporting service. This integration works fine in dev and prod. We are using IIS to host this integration. In UAT I am seeing the exception in title: unable to find valid certification path to requested target A certficate (for domains) expired in UAT and was renewed by our internal certificate team Since it has been renewed, it seems to have been causing this issue Certificates are not my area of expertise so learning as I go at the moment, every day is a school day! The custom domain/certificate is what was renewed a little while ago. This has been applied in IIS to the necessary bindings. Our Mendix Service console, looks at CACerts constant, to load all the certificates required in outgoing connections. These are seprated by either ‘,’ or ‘;’, I don’t recall, but we only have the one set. It will then pick the one necessary for the outgoing connection(s) I have been through the forums and all the suggestions are to ensure we have the CACertificates constant set, we do. It’s always been set and has not changed. The certificate is reachable and I can see it. The constant is set to something like d:\reportCertUAT.cer. I have seen conflicting information around this being a .cer or another format. However, this constant hasn’t changed in years so it seems unlikey that this is the cause. This certificate is self signed by our org, it hasn’t changed in years and doesn’t expire for much longer. Many of the comments I can see from Googling this suggest the issue is that the ‘cacerts’ file used by Java, needs to trust the certificate/CA in order to use it. Because it doesn’t trust our certificate, it terminates the communication, I am leaning towards this being a issue with the cert and cacerts because it is self signed and it is not trusted by Java keystore by default. There are ways to add it, using the Java keytool that I am aware of. I’ve also used this keytool to check the contents of ‘cacerts’. Amending the ‘cacerts’ file was not something I had to do in dev when I renewed dev a litlte while back , which is what makes me a little hesitant to go this adding of the certificate to the keystore. Unfortunately we do not have access to the UAT environment here as it’s managed by one of our suppliers who will carry out the work on our behalf so resolving this myself is tricky. I need to be able to provide clear instructions on what is required for them to carry it out. Has anyone had a similar issue and am I missing something really obvious?