1

I have been having an issue for months where all of the sudden our Java install on Centos 6.10 stopped adding client site certificates to the java keystore. To work around this I need to browse to the clients website such as https://ws.example.com then in firefox or chrome download the certificate. Upload it to the server, then finally use Keytool to install the certificate. This started happening out of the blue, so I am not sure what changed. but would really appreciate someone pointing me in the right direction. This is the error we get in our application:

Exception waiting for response: ; nested exception is: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Tom Ferlaak
  • 11
  • 2
  • Does this happen only on specific websites, or on all websites? – Gerald Schneider Nov 20 '20 at 14:39
  • This reminds me of an issue I had with java clients and Apache servers where I had the whole certificate chain in a single file configured with `SSLCertificateFile`. Browsers were fine, but java clients couldn't verify the certificate chain. My solution was to split the certificate in two files, one for the host certificate and one for the chain, and use `SSLCertificateFile` and `SSLCertificateChainFile`. After that all java clients could verify the certificate chain again. – Gerald Schneider Nov 20 '20 at 14:42
  • it seems to be all websites. our java app reaches out to only a handful of sites for an API call to get data from. when their certificate gets updated, we start seeing errors on this call with the above error. I was using the manual process as a workaround, – Tom Ferlaak Nov 20 '20 at 14:48
  • 1
    CentOS 6 has reached end of life. You should execute your plans to migrate to a currently supported version as soon as possible. – Michael Hampton Nov 20 '20 at 14:48
  • i have a staging server that we can try splitting the file. as we currently only have the single store that i know of. Do you know of a tutorial to split it? – Tom Ferlaak Nov 20 '20 at 14:49
  • If you don't have any control about the affected servers my note is not going to be helpful to you. I'll leave it for others who might stumble on the question though. – Gerald Schneider Nov 20 '20 at 14:50

0 Answers0