Evanthika Amarasiri's Blog: How to solve "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" issue of WSO2 Products

Friday, January 3, 2014

How to solve "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" issue of WSO2 Products

Ever come across the error message mentioned in the subject while trying out WSO2 products? Well, if you have, the reason is that cetifacte of the backend that you is not trusted and the certificate of that backend server should be added to the WSO2 product servers client-truststore.jks. Lets try this with a simple example.

Assume you have a simple API with the below configuration pointing to twitter search in WSO2 ESB (You can try this with a latest version of ESB). The configuration will be as follows.

      <api name="TwitterAPI" context="/twitter">
      <resource methods="GET" url-mapping="/*">
         <inSequence>
            <send>
               <endpoint>
                  <address uri="https://twitter.com"/>
               </endpoint>
            </send>
         </inSequence>
         <outSequence>
            <send/>
         </outSequence>
      </resource>
   </api>

Invoke the above API using the below command.

curl -v -X GET -H "Content-type: application/json" http://localhost:8281/twitter/search?q=wso2

It will throw the below exception at the WSO2 ESB server console.

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:138)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1328)
    ... 17 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
    ... 23 more

Inorder to get rid of this exception and the request to passthrough successfully to the backend, you need to import the public certificate of Twitter to the client-truststore.jks of the WSO2 ESB server instance. Below are the steps you need to follow.

1. Go to https://twitter.com/, click on the lock icon at the address bar, click on the 'Connection' tab, then click on the link 'Certificate Information'. From the 'Certificate Viewer', select the tab 'Details' and click on the 'Export' button and download the certificate (twitter.com) to a preferred location.

2. Once downloaded, issue the below command to import the public certificate of Twitter to the client-truststore.jks.

$ keytool -importcert -file $somepath/twitter.com -keystore $ESB_HOME/repository/resources/security/client-truststore.jks -alias "Twitter"

3. Restart the WSO2 ESB server and invoke the API again and you will get the expected result.

12 comments:

Unknown said...: Hey, it was a nice post. Thanks for the post. Am developing an application in Windows using Java,Twitter4j & NetBeansIDE7.4 to fetch tweets from twitter am getting the same error ".sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
Could You pls help me to resolve this error?; January 27, 2014 at 2:14 AM
Unknown said...: Hey Thanx for the post. Am developing an application in Windows system using NetbeansIDE,java, twitter4j to fetch tweets from Twitter am also getting the error
"sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
Could you pls help me to resolve it??; January 27, 2014 at 2:19 AM
Dilruk Perera said...: Thanks, helped to add the Basecamp certificate to keystore :); June 20, 2014 at 2:40 AM
Evanthika said...: Hi Dilruk,

Glad to hear the post was useful for you.

Regards,
Evanthika; June 20, 2014 at 5:17 AM
Unknown said...: hello, Evanthika

I saw your answers to my question in Stackoverflow, and followed the link to here.

this is a really instructive post.

when I invoke the keytool command, it require a password of the client-truststore.jks

so what is the default password?; July 9, 2015 at 8:10 PM
Evanthika said...: Hi George,

The default client-truststore.jks password is wso2carbon

Regards,
Evanthika; July 10, 2015 at 12:39 AM
Unknown said...: Found this useful! Thanks.; July 22, 2015 at 10:22 PM
Dante Cesar Basso Filho said...: Thanks!
One problem solved!; August 25, 2015 at 11:40 AM
FR said...: Really helpful. got all that i needed; January 24, 2016 at 7:35 AM
Unknown said...: Thanks. Its working; February 1, 2016 at 4:51 AM
scifactor said...: Thanks for this solution, it worked perfectly on my ESB/WSO2 server!; August 24, 2021 at 4:53 PM
Justin Raj S said...: Hi Evanthika,

Thanks for the useful post.

After a month of struggle, resolved certificate issue by referring your post.; July 14, 2023 at 4:24 AM