0

I noticed today, that my services reject APIs certificate. It's not a self-signed certificate but one issued by let's encrypt. It looks fine in browsers and on some online cert checking tools, I found. It's been running just fine last week - but somehow stopped doing so over the weekend. It's Java 12 (tried OpenJDK on Mac, Linux and OpenJ9 on Linux)

Do you guys have any idea on how to debug (or even fix) this? I've checked on various 

Exception in thread "main" java.lang.IllegalStateException: OAuth Authentication failed from https://graph.homefully.tech/oauth/authorize
    at de.homefully.platform.graphclient.GraphClient.revalidateAccessToken(GraphClient.java:170)
    at de.homefully.platform.graphclient.GraphClient.execute(GraphClient.java:90)
    at de.homefully.platform.graphclient.GraphClient.query(GraphClient.java:66)
    at de.homefully.platform.adplacementjob.graphapi.AdPlacementSupplier.get(AdPlacementSupplier.java:18)
    at de.homefully.platform.adplacementjob.graphapi.AdPlacementSupplier.get(AdPlacementSupplier.java:11)
    at de.homefully.platform.adplacementjob.PlacementOrders.load(PlacementOrders.java:19)
    at de.homefully.platform.adplacementjob.JobExecutor.orderedPlacements(JobExecutor.java:38)
    at de.homefully.platform.adplacementjob.JobExecutor.main(JobExecutor.java:31)
    at de.homefully.platform.adplacementjob.RealEstateObjectPublisher.main(RealEstateObjectPublisher.java:9)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:320)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:641)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:460)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:441)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:419)
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:177)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1180)
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1091)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:404)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:364)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:374)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:221)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:165)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:140)
    at de.homefully.platform.graphclient.GraphClient.revalidateAccessToken(GraphClient.java:147)
    ... 8 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:384)
    at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:289)
    at java.base/sun.security.validator.Validator.validate(Validator.java:264)
    at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:221)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:625)
    ... 33 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:379)
    ... 39 more
Matthias
  • 2,622
  • 1
  • 18
  • 29

1 Answers1

0

Has the certificate expired? The fact you said it stopped over the weekend suggests that it might be.

I had the same issue and this was the cause. I noticed that when it couldn't find the valid certificate, I'd get: SEVERE: I/O Exception javax.net.ssl.SSLHandshakeException: . However, when the required certificate could be found BUT had expired I'd receive the same SEVERE: I/O Exception. sun.security.validator.ValidatorException.

I hope this helps.

AlexHowell
  • 145
  • 1
  • 1
  • 8