unable to find a valid certification path to requested target

Question

I am making a post request using a restTemplate and I am getting the following error: unable to find a valid certification path to requested target

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'transformToListClass': Invocation of init method failed; nested exception is java.lang.RuntimeException: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://emploenefitsdev/rion/v1/rion/": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: java.lang.RuntimeException: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://emploenefitsdev/rion/v1/rion/": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://emploenefitsdev/rion/v1/rion/": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

And my method below:

    public ImageDescriptor generateImage(String payLoad, String templateName, String slogPrefix) {
        try {
            ImageDescriptor descriptor = new ImageDescriptor();

            String myEUrl = "https://emploenefitsdev/rion/v1/rion/";
            String eURL = myUrl.concat(Constant.F_SLASH).concat(templateName);

            log.info("payload" + payLoad);

            ResponseEntity<Resource> responseEntity = restTemplate.exchange(
                    eURL,
                    HttpMethod.POST,
                    niService.getStringHttpEntityWithPayload(payLoad),
                    Resource.class);
            log.info(String.format("%s generateImage Result: [%s] ", slogPrefix, responseEntity.getStatusCode()));
            descriptor.setInputStream(Objects.requireNonNull(responseEntity.getBody()).getInputStream());

            convert(responseEntity.getBody().getInputStream(), "sherrr.pdf");

            log.info("file is:"+ convert(responseEntity.getBody().getInputStream(), "sherrr.pdf"));


            return descriptor;
        } catch (IOException e) {
            e.printStackTrace();
            log.error("Error: " + slogPrefix + " generate image failed " + e.getMessage());
            throw new RuntimeException(e);
        }
    }

Answer 1

The request is failing while making a connection from client to the server. The reason behind the failure is client inability to validate the server's identity/certificate. During the client-server handshaking process, the client needs issuer/root certificates to validate the server's identity. Most of the root certificates issued from well-known trusted authorities are shipped with the JDK, and present in the Keystore file, called cacerts.

Let's talk about your case. It could potentially fall into one of the following categories.

• Server is using certificate issued from the certificate authority whose root and intermediate certificates are not present in the JDK.
• Server is using a certificate issued from in house CA.
• Server is using a self-signed certificate.

You need to add the root and intermediate certificates to the java cacerts key store.

One way to obtain the root and intermediate certificates by visiting the server site in the browser. Click on the secure lock pad in the url bar and explore the certificate option. You need to export the root and intermediate certificate by using the copy option and save the cert file on your system.

Go to the location eg: C:\Program Files\Java\jdk1.8.0_121\jre\lib\security where the cacerts is present and open the command prompt to execute the following command.

keytool -import -alias -aliasName -file pathToRootCA.crt -keystore cacerts

The default password is changeit

Answer 2

If cacerts include the Root CA certificate and still you see the error, ensure that your java program is picking up the correct keystore. It can happen that it is picking up another keystore other than cacerts.