Friday, January 3, 2014

How to solve "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" issue of WSO2 Products


Ever come across the error message mentioned in the subject while trying out WSO2 products? Well, if you have, the reason is that cetifacte of the backend that you is not trusted and the certificate of that backend server should be added to the WSO2 product servers client-truststore.jks. Lets try this with a simple example.

Assume you have a simple API with the below configuration pointing to twitter search in WSO2 ESB (You can try this with a latest version of ESB). The configuration will be as follows.

      <api name="TwitterAPI" context="/twitter">
      <resource methods="GET" url-mapping="/*">
         <inSequence>
            <send>
               <endpoint>
                  <address uri="https://twitter.com"/>
               </endpoint>
            </send>
         </inSequence>
         <outSequence>
            <send/>
         </outSequence>
      </resource>
   </api>

Invoke the above API using the below command.

curl -v -X GET -H "Content-type: application/json" http://localhost:8281/twitter/search?q=wso2

It will throw the below exception at the WSO2 ESB server console.


Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:138)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1328)
    ... 17 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
    ... 23 more



Inorder to get rid of this exception and the request to passthrough successfully to the backend, you need to import the public certificate of Twitter to the client-truststore.jks of the WSO2 ESB server instance. Below are the steps you need to follow.

1. Go to https://twitter.com/, click on the lock icon at the address bar, click on the 'Connection' tab, then click on the link 'Certificate Information'. From the 'Certificate Viewer', select the tab 'Details' and click on the 'Export' button and download the certificate (twitter.com) to a preferred location.

2. Once downloaded, issue the below command to import the public certificate of Twitter to the client-truststore.jks.

$ keytool -importcert -file $somepath/twitter.com -keystore $ESB_HOME/repository/resources/security/client-truststore.jks -alias "Twitter"

3. Restart the WSO2 ESB server and invoke the API again and you will get the expected result.

12 comments:

Unknown said...

Hey, it was a nice post. Thanks for the post. Am developing an application in Windows using Java,Twitter4j & NetBeansIDE7.4 to fetch tweets from twitter am getting the same error ".sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
Could You pls help me to resolve this error?

Unknown said...

Hey Thanx for the post. Am developing an application in Windows system using NetbeansIDE,java, twitter4j to fetch tweets from Twitter am also getting the error
"sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
Could you pls help me to resolve it??

Dilruk Perera said...

Thanks, helped to add the Basecamp certificate to keystore :)

Evanthika said...

Hi Dilruk,

Glad to hear the post was useful for you.

Regards,
Evanthika

Unknown said...

hello, Evanthika

I saw your answers to my question in Stackoverflow, and followed the link to here.

this is a really instructive post.

when I invoke the keytool command, it require a password of the client-truststore.jks

so what is the default password?

Evanthika said...

Hi George,

The default client-truststore.jks password is wso2carbon

Regards,
Evanthika

Unknown said...

Found this useful! Thanks.

Dante Cesar Basso Filho said...

Thanks!
One problem solved!

FR said...

Really helpful. got all that i needed

Unknown said...

Thanks. Its working

scifactor said...

Thanks for this solution, it worked perfectly on my ESB/WSO2 server!

Justin Raj S said...

Hi Evanthika,

Thanks for the useful post.

After a month of struggle, resolved certificate issue by referring your post.