See keystore used by SSLFactory? Exception: "sun....certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

Question

Authorize.net updated their production certificates, and now our SSL code is generating the following exception:

Exception javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

According to this blog post from Authorize.net, we need to install new root certs on our server. We did this, but the exception persists. So now the suspicion is that new certs weren't installed to the right keystore. How do we see which keystore is being used by the code?

Here's the code below:

SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket) factory.createSocket(addr,443);

And yes, we should use Stripe instead, but this site was built long before Stripe came around. :(

Unless you've set the `javax.net.ssl.trustStore` system property somewhere, that code will use the default JRE `cacerts` truststore. Be careful updating that, as you will lose it next JRE update. — user207421, May 29 '15 at 01:43
@EJP this worked. Add your comment as an answer then you can earn credit? — Crashalot, May 29 '15 at 08:36

score 0 · Answer 1 · answered Aug 29 '19 at 15:41

Solution is to add that certificate to java cacerts file so that it got permanently accepted.

Step 1 : Get root certificate of https://www.wikipedia.org (or any url you want to access)

Open https://www.wikipedia.org in a chrome browser.
locate Lock symbol just besides your address bar and click on it.
view Details
Click on top most certificate on hierarchy and confirm it is tailed with Root CA phrase.
drag and drop that image which you saw written certificate on desktop.

Thats it! you got your root certificate!

Step 2 : Get that certificate added to java cacerts file.

use keytool.exe inside your jre bin folder.
fire following command to place your certificate inside cacerts file

keytool –import –noprompt –trustcacerts –alias ALIASNAME -file /PATH/TO/YOUR/DESKTOP/CertificateName.cer -keystore /PATH/TO/YOUR/JDK/jre/lib/security/cacerts -storepass changeit

That is it! you got your problem resolved.

PLEASE NOTE

Do confirm that the jre which is giving you this PKIX error(JRE used by KAFKA) that is where you are performing STEP 2. If you would try with another jre problem would be as it is.
Do use only one jre which is inside JDK it decreases chance to have issues.

See keystore used by SSLFactory? Exception: "sun....certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

1 Answers1

Linked