3/26/2021 Unable to find valid certification path to requested target

Command Line Fanatic

A blog about technology, protocols, security, details and fanaticism

Home Posts Books About Me RSS

Unable to find valid certification path to requested target

A few weeks ago, I upgraded my laptop. Due to a bug in the latest OS/X, I wasn't able to transfer all of
my files from my old computer to the new one, but since everything I do is in Subversion anyway, I
I'm the author of the bo
didn't anticipate a major issue just reinstalling everything I needed. When it came time to install Java, I SSL/TLS Using Crypt
installed the latest JDK (1.8). Thinking little of it, I went back to my normal work, ran Maven, and the title says, this is a f
examination of the SSL
immediately got the following stack trace: security, integrity and p
application-level intern
[ERROR] Failed to execute goal on project reports: Could not resolve dependencies notably HTTP. I includ
for project com.xxoffice.reporting:reports:war:1.0-SNAPSHOT: Failed to collect complete working SSL
dependencies at com.qoppa.pdf:jPDFAssemble:jar:1.0: Failed to read artifact including the most pop
descriptor for com.qoppa.pdf:jPDFAssemble:jar:1.0: Could not transfer artifact algorithms (DES, 3DE
com.qoppa.pdf:jPDFAssemble:pom:1.0 from/to xxoffice (https://maven.2xoffice.com/m2/repository): DSA, Diffie-Hellman,
sun.security.validator.ValidatorException: PKIX path building failed: SHA-256, and ECC), a
sun.security.provider.certpath.SunCertPathBuilderException: fit together to provide
unable to find valid certification path to requested target -> [Help 1]
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) Joshua Davies
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)Past Posts
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) January 27, 202
... Console for Red
December 21, 20
Whoa, what the heck was that? Scrolling up a bit, I saw that it was failing while trying to connect to my local Maven Console for Red
repository that I maintain for internal build artifacts. So, why would JDK 1.8 not be able to connect to my internal November 30, 2
repository? and why is it usi
September 30, 2
Fortunately for me, I know a thing or two about PKI and certificate hierarchies, so the error message Drop Support in
August 31, 2020
wasn't complete gibberish. To make sense of the error and what it's actually complaining about, it's Contravariance i
necessary to understand a little bit about how SSL works. The server in question — and any server July 31, 2020: H
Floating Point N
which connecting to might result in the error message above — is protected by HTTPS, which is HTTP June 25, 2020: E
with SSL added on. SSL was designed to protect against a lot of different security problems, one of the Tool, Part Three
April 30, 2020: E
most complex of which is the man-in-the-middle attack. For various reasons, internet traffic is Tool, Part Two
particularly susceptible to active attacks whereby a malicious party pretends to be the server you're March 31, 2020
trying to talk to and intercepts your communications. To guard against this, SSL mandates (at the risk of Tool, Part One
February 28, 202
slightly oversimplifying) that the server present a certificate that identifies it as the true bearer of "t.setAttribute is
the hostname you're trying to connect to; maven.2xoffice.com in this case. Of course, in and of December 30, 20
of Equations wit
itself, this provision is next to useless — after all, any attacker who can intercept your communications October 30, 201
and masquerade as the target server can just as easily forge a certificate claiming to be the correct server. with and withou
September 30, 2
As it turns out, this was a well-studied problem in cryptography circles in the mid 90's when SSL was file outside of Sp
designed — the solution is a Public Key Infrastructure (PKI). In this system, a handful of August 30, 2019
MetaUML
trusted parties are authorized to digitally sign certificates — in effect, "vouching for" the legitimacy of July 30, 2019: C
the bearer of the certificate. Such trusted parties are called certificate authorities. June 25, 2019: A
1.3 Handhsake
With this brief background, the error message "unable to find valid certification path to requested target" May 31, 2019: A
Java
begins to makes some sense — what Java (by way of Maven) is trying to tell me is that the server April 30, 2019: A
presented a certificate, and the certificate did identify itself as the rightful bearer of the hostname in Java, Part 3 -
Alives
maven.2xoffice.com. Furthermore, the certificate was properly digitally signed — unfortunately, March 28, 2019
not by a legitimate certificate authority. Server in Java, P
February 28, 20
Server in Java
So, what makes a certificate authority a "legitimate" one? Every SSL-capable client has its own answer; January 29, 2019
browsers, for example, have a list of trusted certificate authorities. They're identified by their own the Scenes, Part
September 30, 2
certificates (more specifically, by the secure hash of their certificate's contents). In Chrome, for instance, Behind the Scen
you can see a list of trusted certificate authorities' certificates by going into Settings->Manage August 31, 2018
Instruction
Certificates (Figure 1) and seeing a list of several trusted "root" certificates (Figure 2). Any certificate
July 24, 2018: U
signed by one of these roots will be trusted; untrusted ones will result in a warning message. Changes in your

www.infinitepartitions.com/cgi-bin/showarticle.cgi?article=art032 1/5
3/26/2021 Unable to find valid certification path to requested target
June 30, 2018: G
Pairs in Scala
May 25, 2018: R
Years of Reading
April 30, 2018:
java.lang.NoSuc
org.junit.vintage
engine.descripto
getAllDescendan
March 30, 2018
for the Academy
February 28, 20
Users
January 31, 2018
AngularJS
December 31, 20
Integration in Py
October 31, 201
Developers
September 29, 2
another year of r
August 30, 2017
Figure 1: Manage Certificate Settings July 27, 2017: A
SSL certificate e
June 30, 2017: A
SSL key exchan
May 31, 2017: A
SSL handshake
March 31, 2017
TCP handshake
February 28, 20
Handshake at a H
January 31, 2017
JWT Verification
August 31, 2016
of reading Knuth
July 29, 2016: M
to a public key
June 30, 2016: A
GZIP File
May 31, 2016: A
Tablature Gener
April 28, 2016: A
Tablature Gener
March 31, 2016
private key into
February 26, 20
into a Java Key
Figure 2: Trusted Certificates January 31, 2016
MacBook Pro
Java, on the other hand, doesn't have a "Settings" tab; instead, it has a setup folder. Specifically, December 29, 20
Science necessar
$JRE_HOME/lib/security. Here, there's a file named cacerts that lists all of the trusted root programmers?
certificate authorities. You can view this list using the keytool that comes with the JDK: November 30, 2
authentication v
$ keytool -list -keystore $JRE_HOMe/lib/security/cacerts authentication
Enter keystore password: October 28, 201
Viewing Java Ke
Keystore type: JKS September 29, 2
Keystore provider: SUN with Chrome's D
August 26, 2015
Your keystore contains 85 entries and Apache to a
Mac OS/X
digicertassuredidrootca, Apr 16, 2008, trustedCertEntry, July 30, 2015: E
Certificate fingerprint (SHA1): 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43 Java Key Stores
trustcenterclass2caii, Apr 29, 2008, trustedCertEntry, June 29, 2015: U
Certificate fingerprint (SHA1): AE:50:83:ED:7C:F4:5C:BC:8F:61:C6:21:FE:68:5D:79:42:21:15:6E developer tools,
thawtepremiumserverca, Dec 11, 2009, trustedCertEntry, Tab
Certificate fingerprint (SHA1): E0:AB:05:94:20:72:54:93:05:60:62:02:36:70:F7:CD:2E:FC:66:66 May 28, 2015: U
... developer tools,
April 30, 2015: U
Note, in particular, the "Certificate fingerprint". This is the (hopefully) unforgeable SHA-1 hash of the contents of the developer tools,
certificate identifies by the nickname (digicertassuredidrootca, trustcenterclass2caii, thawtepremiumserverca, etc.) When Tab
the JDK, via the internal, undocumented sun.security.ssl.SSLSocketImpl class attempts to establish a secure March 30, 2015
connection with a remote server, the server must present it with (at least) two certificates: one claiming that it's the web developer to
rightful owner of the domain name being connected to, and another that is the signer of the first certificate and, of course, Memory Profiler
the actual signature. The JDK searches its list of trusted root certificates from the cacerts file and, if it doesn't find one February 27, 20
with a matching fingerprint, rejects the conection with a "unable to find valid certification path to requested target". web developer to
Notice, however, that I said "at least two". The designers of PKI foresaw that it would be burdensome for a handful of Profiler Tab
certificate authorities (85 in the case of JDK 1.8) to be responsible for validating every single entity that needed to be January 31, 2015
trusted; it's therefore possible for a certificate authority to delegate authorization to sub-certificate authorities. So it's web developer to
probable (and was the case for me) that the server certificate is signed by a certificate that itself is signed by a self-signed Timeline Tab
root certificate. This list of certificates, each one signed by the next, is called a certificate chain, and must end in a trusted December 31, 20
certificate, or the connection will be rejected. web developer to
Sources Tab
October 31, 201
web developer to
www.infinitepartitions.com/cgi-bin/showarticle.cgi?article=art032 2/5
3/26/2021 Unable to find valid certification path to requested target
I said "at least two" but even that isn't true — the server must present an identifying certificate and a signing certificate in Network Tab
order for the SSL protocol to work, but they can actually be the same certificate — the identifying certificate can be a self- September 30, 2
web developer to
signed "root" certificate. It's then up to the client to choose to accept this "all in one" certificate or not. This scenario is Elements Tab
fairly rare in day-to-day e-commerce, but can be very useful when testing. August 11, 2014
certification path
With that out of the way, though, how to go about fixing this? When you're connecting securely to a June 30, 2014: S
May 29, 2014: O
website through a browser, the browser presents a warning message which you can choose to ignore Tricks
once or ignore permanently. Java code, of course, has no way to present a warning message to a user in April 25, 2014: H
Heck Happened
an arbitrary context (how would that work in a Maven build, for example?) You can actually completely February 28, 20
disable the certificate check by installing a null TrustManager instance, but that's not really what you Money with a Sp
January 29, 2014
want here; what you really want is to import the signing certificate so that the connection is always
to the BEAST A
trusted. The keytool allows you to do so via: December 21, 20
look to find its h
$ keytool -importcert -file ./certificate_file October 24, 201
Subversion impo
which takes as input the certificate that you want to have imported as a trusted root. So how do you get your hands on that August 28, 2013
certificate in the first place? Most browsers will show you the certificate chain, but not let you download the actual iOS app from th
certificates (IE used to, but the most recent versions don't). Fortunately, the same keytool that ships with the JDK that July 31, 2013: T
you can use to view the contents of a keystore will download a certificate chain for you: Software Reuse
June 26, 2013: B
$ keytool -printcert -rfc -sslserver maven.2xoffice.com war:inplace
-----BEGIN CERTIFICATE----- May 29, 2013: B
MIIFNTCCBB2gAwIBAgIHJ73QrVnyJjANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCVVMxEDAO Using Javascript
... April 4, 2013: P
-----END CERTIFICATE----- only SED
-----BEGIN CERTIFICATE----- February 22, 20
MIIE3jCCA8agAwIBAgICAwEwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVMxITAfBgNVBAoT Format
... December 31, 20
-----END CERTIFICATE----- rotation matrices
-----BEGIN CERTIFICATE----- November 27, 2
MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMY in Java
... October 21, 201
-----END CERTIFICATE----- Without a Netwo
August 14, 2012
The -rfc option outputs the certificate chain in PEM-encoded format for easy import back into a keystore. In my case, it Neuburg's "Prog
was the last certificate in the list that I wanted, so I saved the whole thing (including the BEGIN CERTIFICATE and END July 16, 2012: A
CERTIFICATE lines, which are significant in this case) as godaddyg2.pem and imported it into my trust store via: Handshake and m
May 23, 2012: A
$ keytool -importcert -file ./godaddyg2.pem -keystore $JRE_LIB/lib/security/cacerts display cookie v
April 27, 2012: H
after verifying in a browser that this was, in fact, the certificate I wanted.
Use Digital Sign
March 29, 2012
Add a comment: decoder
February 15, 20
implementation
Completely off-topic or spam comments will be removed at the discretion of the moderator. compression alg
January 16, 2012
You may preserve formatting (e.g. a code sample) by indenting with four spaces preceding the week of any date
December 4, 20
formatted line(s) CRC32
October 29, 201
Name: Decoding
Email (will not be displayed publicly): October 4, 2011
Comment: from a Gnu Key
September 5, 20
to Maven
July 18, 2011: A
Apache configur
July 6, 2011: Fu
Canvas Tag
Jun 16, 2011: Pa
upon all comme
May 31, 2011: U
of-Flight Wirele
Characteristics f
May 7, 2011: Im
Apr 24, 2011: D
format

ERROR for site owner:

Invalid domain for site key reCAPTCHA
Privacy - Terms

comment

melvin, 2015-03-08
porfa necesito la certificacion para poder navegar en wet
reply
Jobby Joseph, 2015-03-17
Excellent article, explained in a very simple manner. Thanks,
reply
www.infinitepartitions.com/cgi-bin/showarticle.cgi?article=art032 3/5
3/26/2021 Unable to find valid certification path to requested target
hvgeertruy, 2015-08-05
This article helped me a lot, I tried other sources but those were incomplete on the subject or just plain wrong. It also
gave me a good background explanation on the context of the certificates, this will be a great help in the future
Thanks mate
reply
Josh, 2015-08-05
Glad I could help!
reply
Robb01, 2015-12-30
Thanks for posting this. Searching on my errors produced very few hits and your post is the closest. It also gives
great insight into what is going on.
My error is slightly different:
[ERROR] [g.openhab.io.net.http.HttpUtil] - Fatal transport error: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested
target

I am running openhab 1.7.1 on a raspberry pi with Java:

java version "1.8.0_65"
Java(TM) SE Runtime Environment (build 1.8.0_65-b17)
Java HotSpot(TM) Client VM (build 25.65-b01, mixed mode)

and only a few bindings including http and zwave. Does this message tell me I need to import a new certificate and
where do I find it (the right one)?

Thanks
reply
matt jordan, 2016-03-29
i followed your logic which was perfect until the moment of trying to install a certificate in my keystore at which
time i was asked for a password for the keystore. There is no password as far as i am aware; i was able to list the
contents of the cacerts file by typing an empty password. why would it ask for a non-empty password now?
reply
Josh, 2016-03-29
There is a password on it, actually - it's sort of an odd behavior on the part of the java keytool, but you can list
out the contents of a keystore without providing the password, but you can't update the keystore without it. By
default, the password for cacerts is "changeit" (which virtually nobody does, creating a pretty massive security
hole in most Java installations).
reply
matt jordan, 2016-03-30
thanks josh, that was exactly the right thing!
reply
Anne, 2016-04-12
Great article! But how do I verify the cert with a browser?
reply
David, 2016-06-25
Thanks, it works!! And in addition, now I understand the problem and the solution!
reply
Randy, 2016-07-01
When I do the import it tells me that the certificate is not an X.509 certificate.
I'm using JDK 1.8.
keytool -printcert -rfc -sslserver javalibs.com > ./javalibs.pem
keytool -importcert -file .\\javalibs.pem -keystore $env:JAVA_HOME\\jre\\lib\\security\\cacerts
keytool error: java.lang.Exception: Input not an X.509 certificate
reply
Josh, 2016-07-01
Strange - that sequence does work for me, using both JDK 1.7 and JDK 1.8; I'm on a Mac, though, not
Windows. What actually shows up in the "javalibs.pem" file? Does it begin with -----BEGIN CERTIFICATE----
-?
reply
Jad, 2017-08-25
I got the same error message (Input not an X.509 certificate).
Randy,
reply
Jad, 2017-08-25
Randy, your problem has been resolved (my OS is Windows 7)?
reply
Arijit Ghosh, 2016-09-21
Wonderful article and following this solved my problem completely.
My java application was able to communicate in SSL mode with a JMS Server, when it was executed on my local
machine.

But it failed on the Test Server, as Java there was unable to recognize the JMS Server CA as an legitimate CA.

Followed the steps...and it worked bang on!!!

Regards,
Arijit

reply
Makoy, 2017-01-09
After running "keytool -printcert -rfc -sslserver maven.2xoffice.com" where does the godaddyg2.pem being saved?
reply
Josh, 2017-01-13
Unfortunately, it doesn't actually get saved, but printed out to the console. You can either redirect the output to a
file or just (as I did) cut and paste what you want into another file.
reply
David, 2017-01-17
www.infinitepartitions.com/cgi-bin/showarticle.cgi?article=art032 4/5
3/26/2021 Unable to find valid certification path to requested target
Excellent article, explained in a very simple manner. Thanks!
reply
esalagea, 2017-02-20
Thanks a lot for this article, I had the same problem with Jenkins external authentication using GitLab. Using your
solution worked perfectly fine.
reply
Frank, 2017-02-23
I have never commented on technical article before.....this is the most well explained article out there.You are
Awesome Joshua..!#
reply
Kumar, 2017-03-01
Joshua,
Donald Trump loves you!! I love you and rest of the world love you!!

May God bless you!!

reply
Josh, 2017-03-02
Um, ok. I don't think Donald Trump actually loves me though. I do think he'd like me if he met me.
reply
Rakesh, 2017-03-24
Wonderful!!!!

Gr8 I was struggling for so long to fix this issue. Finally this article helped me.
It worked like magic.Thanks a Tonne.

Regards
reply
Satya, 2019-08-20
Hi Joshua,

Thanks for the detailed information. After searching for few hours I find this article which is really help full, But
After generating the certificate chain I tried to import into my trust store by fallowing the command that provided in
the article (password used : changeit)there it saying "certificate is added in first line in next line it is saying file not
found exception and in brackets permission denied". Can you please let us know steps to be fallowed after generating
the certificate chain. It will be great helpful .

thanks in advance
Satya
reply
satyam, 2020-12-10
instead of "$JRE_LIB" use "$JAVA_HOME" or path to java
reply
satyam, 2020-12-10
Great man , it worked like a charm .. You're a saviour.
reply

www.infinitepartitions.com/cgi-bin/showarticle.cgi?article=art032 5/5