0

I am running a Java 11 SDK program through IntelliJ IDEA (on Widows 10) which is using the Java 11 Httpclient to send a simple GET request to a site that has a self-signed certificate.

final HttpClient httpClient = HttpClient.newBuilder()
        .version(HttpClient.Version.HTTP_1_1)
        .connectTimeout(Duration.ofSeconds(10))
        .build();

HttpRequest request = HttpRequest.newBuilder()
            .uri(new URI(url))
            .GET()
            .build();

HttpResponse<String> response = httpClient.send(request, HttpResponse.BodyHandlers.ofString());

This was initially resulting in a "pkix path building failed" error, which I solved by adding the site's certificate to the local truststore C:\Users\[username]\.jdks\azul-11.0.16.1\lib\security\cacerts

Problem solved. Except now I need to reproduce that issue again, so I went to remove that certificate from the cacerts file and restarted the whole PC for good measure.

However, even with the certificate removed from cacerts, there are no errors and the request is still going through as if the certificate was still trusted. I thought any possible caching might be eliminated by restarting the machine.

I am out of ideas and problems with removing a previously added certificate is not a very hot topic for googling. What could be going on here that I'm missing?

user742925
  • 275
  • 1
  • 2
  • 9
  • There is another chance to reproduce the issue - if you have control on the server: Self-sign a new certificate and install it on the server side. – Queeg Jan 31 '23 at 20:20
  • Startup your application with command line options pointing to another truststore. You could even create an empty one to start with. – Queeg Jan 31 '23 at 20:23
  • You should probably avoid modifying `cacerts`. [This discussion](https://docs.oracle.com/en/java/javase/17/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-32CF3420-56E8-4BC5-8D3B-1F6B4692A290) explains some better options, including create your own file of trusted certificates. – President James K. Polk Feb 01 '23 at 14:54
  • You can use `keytool` to examine the `cacerts` file, or an applicate like KeyStore Explorer. Just taking a wild guess here but the problem may be that your platform has multiple JDKs installed, and you modified the cacerts file of one of these but then tried to remove it from a different one, or you ran the program the first time using one JDK but ran it the second time using a different JDK. I would try running it using the full absolute pathname to the `java` executable to help diagnose the issue. – President James K. Polk Feb 01 '23 at 14:57

0 Answers0