0

I'm trying to access a secure address in my java web application. The application is running on tomcat7 with java7 and I've started tomcat with the following command:

-Djavax.net.ssl.trustStore=path-to-truststore.jks -Djavax.net.ssl.trustStorePassword=mypass

My truststore contains some trusted certificates for different sites and all of them works correctly, except one of them which site address in that certificate is defined as SAN (Subject Alternative Name) extension field. For example certificate is issued to my-site1.com and it has a SAN field to my-site2.com and I need to access my-site2.com in my JavaEE application. Here is the exception I get:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1091)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
    ...

Any suggestion?

Anand Bhat
  • 5,591
  • 26
  • 30
Ehsan Khodarahmi
  • 4,772
  • 10
  • 60
  • 87
  • Does the site provide all intermediate certificates during the TLS handshake? If the site is public, you can use an online scanner such as SSL Labs Server Test (https://www.ssllabs.com/ssltest/). – Anand Bhat Sep 13 '16 at 22:27
  • Yes, its https://onesignal.com if it helps – Ehsan Khodarahmi Sep 14 '16 at 08:53
  • Do the other sites that are working fine chain up to the same root ( COMODO RSA Certification Authority - afe5d244a8d1194230ff479fe2f897bbcd7a8cb4 or AddTrust External CA Root - 02faf3e291435468607857694df5e45b68851868)? Which version of Java7 is being used? – Anand Bhat Sep 14 '16 at 16:55
  • No, they have different trust chains and roots – Ehsan Khodarahmi Sep 14 '16 at 16:59
  • Unclear. Is this certificate with SAN in your truststore? Is the server sending it? Both? Is the server sending *anything* that's in your truststore? On the evidence here, the answers are no, yes, and no. In which case your truststore doesn't trust either the SAN-certificate or any of its signers, which is essentially the meaning the error message. – user207421 Sep 14 '16 at 22:54

0 Answers0