2

I am trying to run the sample program in the DocuSign API workflow (http://iodocs.docusign.com/APIWalkthrough/requestSignatureFromDocument) to send a simple document to request a signature. I substituted my values for selected variables in the program (integratorKey through docContentType), and was able to successfully send the request last week. However today I am getting "unable to find valid certification path to requested target" errors when I run the sample program, specifically at line 65, in which the conn.getResponseCode() method is called. The full stack trace appears below:

Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1300)
    at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:468)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
    at com.helloworld.RequestSignatureDocument.main(RequestSignatureDocument.java:62)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
    ... 13 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
    ... 19 more

I looked up this error in the DocuSign DevZone archives, and found this reference: http://community.docusign.com/t5/DocuSign-API-Integration-Java-READ-ONLY/ValidatorException-while-sending-document-to-Docusign-demo/m-p/6771/highlight/true. The answer there points to two other links, which basically require downloading a Java program called InstallCert.java and running it to get some certificate information and then installing the certificate. It's supposed to install the certificate locally, and then when you run the program a second time it should recognize the certificate.

That didn't work for me!

What can I do to make the sample RequestSignatureDocument.java program run?

The lines around line 65 in http-colon-//iodocs.docusign.com/APIWalkthrough/requestSignatureFromDocument appear as follows: `

// obtain baseUrl and accountId values from response body 
response = getResponseBody(conn);
baseURL = parseXMLBody(response, "baseUrl");

`

William Asher
  • 91
  • 10
  • Are you able to provide a code snippet of around line 62? Any more info besides the exception would help. – Compass Dec 15 '14 at 18:57
  • What web server are you running (apache, IIS, etc)? You're going to have to ensure that your web server has the certificate AND that your CA list trusts that certificate. In my experience, my CA list has had to be updated as well as the certificate installed. (https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/) – Andrew Dec 15 '14 at 23:21
  • I guess i don't understand the question. The program, supplied as an example by DocuSign, is a standalone Java program. It is a client that sends REST requests to DocuSign's server (https://demo.docusign.net/restapi/v2/login_information), referenced at line 49 of the Java program to which I posted a link above. I don't know what kind of server DocuSign is running. Bottom line is _they_ are running a server, I'm not. – William Asher Dec 16 '14 at 14:18
  • Can somebody at DocuSign address this issue? Your sample Java program worked last week out of the box, but it doesn't work now. Did you change something at your end? When I run "curl -vvv https://demo.docusign.net" I get an "SSL connection using" value of TLS_RSA_WITH_AES_256_CBC_SHA. I don't know what value I was getting for this setting last week. However, I do know I am getting the following value when connecting to https://www.docusign.com: TLS_DHE_RSA_WITH_AES_128_CBC_SHA. That's different from the demo value. I don't know if that is significant. – William Asher Dec 17 '14 at 21:41

1 Answers1

1

I can't say for certain that this is the answer to my question because I have not received any feedback from DocuSign, but after two full days of scouring documentation, blogs, StackOverflow, and more I thought I finally had a working solution. I followed most of the steps posted at How can I use certificate authentication with HttpsURLConnection? and was able to connect and send a document for signature.

That felt great! But then I tried the original java program referenced at the top of my post above, and now it worked, just like it did last week (but not the first few days of this week). So none of the work I did on SSL, importing certificates to my keystore, etc., was relevant or meaningful.

I suppose it's naive of me to think this, but I've got to assume that somebody at DocuSign changed something last week, and then changed it back today.

If I am wrong on that assumption and somebody at DocuSign can set me straight, that would be really wonderful. Better late than never. But until something changes, it appears my problem is "solved".

Community
  • 1
  • 1
William Asher
  • 91
  • 10