Java HTTPS connection with SSL certificate Error
I am trying to use an SSL certificate obtained with StartSSL.com on an Apache server. The browser connection is fine, but when I try to use a Java application I got this solution:
Exception on thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Failed to create PKIX path: sun.security.provider.certpath.SunCertPathBuilderException: Could not find a valid certification path for the requested target
I don't understand what the problem is because in the browser I got SSL with a green label.
source to share
The problem is that your Java doesn't trust the certificate. You have to import it into java truststore
.
# Copy the certificate into the directory Java_home\Jre\Lib\Security
# Change your directory to Java_home\Jre\Lib\Security>
# Import the certificate to a trust store.
# Here the import command:
keytool -import -alias ca -file somecert.cer -keystore cacerts -storepass changeit [Return]
Trust this certificate: [Yes]
changeit is the default trust password.
For each certificate that you imported into your power of attorney, you must provide a new alias.
The import method is a quote from here
source to share
This post is related to:
- Either the JRE does not have a root CA as a trusted entry in the keystore.
- The server is not sending the correct chain.
But 2 is not valid in your case as the browser is able to build the chain and verify the certificate.
Hence, you need to get the root CA and place it in the JRE keystore as a trusted entry. There are many resources out there that document how. One of them is: https://access.redhat.com/documentation/en-US/Fuse_Message_Broker/5.3/html/Security_Guide/files/i379776.html
EDIT 1: Since you want to share with a java app, we should try to get a certificate from a CA that has a root trust store already trusted for the Java versions supported by your app.
source to share
As far as I understand it has to do with Java Certificate Keystore. Explicit certificate is not accepted. Here is a link on how to add a certificate to the Java keystore trusted certificates: https://docs.oracle.com/javase/tutorial/security/toolsign/rstep2.html
source to share
There are several questions like this already on SO (like this: Failed to create PKIX path: could not find a valid certification path for the requested target ).
The usual answer to this question is that your java client does not have the certificates required to complete the certificate chain.
If you want a valid certificate validation, you need to figure out where the certificate chain breaks. If you don't (because it's a proof-of-concept or Dev sandbox or whatever), you can easily get around this by adding the certificate to the trust store you are using with your client.
Edit:
As for why your browser agrees with this, it is likely that your browser has the certificates in the chain that you need, or you absentmindedly told your browser to trust the certificate, even if it also failed to verify the certificate.
source to share
I recommend using the http-request built on top of the apache http api.
import org.junit.Test;
import static org.apache.http.HttpHeaders.ACCEPT;
import static org.apache.http.HttpStatus.SC_OK;
import static org.apache.http.entity.ContentType.APPLICATION_XML;
import static org.junit.Assert.assertEquals;
public class HttpRequestSSLTest {
private final HttpRequest<?> httpRequest = HttpRequestBuilder.createGet("https://mms.nw.ru/")
.trustAllCertificates()
.trustAllHosts()
.addDefaultHeader(ACCEPT, APPLICATION_XML.getMimeType())
.build();
@Test
public final void ignoreSSLAndHostsTest() throws Exception {
assertEquals(SC_OK, httpRequest.execute().getStatusCode());
}
}
source to share