Java“无法找到有效的证书”，尽管 TrustStore 包含根证书

Question

I'm trying to send an HttpRequest to " https://api.ecs.echa.europa.eu " using

HttpRequest request = HttpRequest.newBuilder()
                .uri(URI.create("https://api.ecs.echa.europa.eu"))
                .GET()
                .build();
HttpClient httpClient = HttpClient.newBuilder().version(HttpClient.Version.HTTP_1_1).build();
HttpResponse<String> response = httpClient.send(request, HttpResponse.BodyHandlers.ofString());

Executing this code I get javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Now I already found a solution to this problem by adding the certificate to my java truststore under $JAVA_HOME/jre/lib/security/cacerts

What I still don't understand, is why this is necessary:

The specific website ( https://api.ecs.echa.europa.eu ) uses the root certificate DigiCert Global Root CA , which is already contained in the java truststore. Why is that not enough?

Sending requests to other websites that use this root certificate does work...

Thanks for your help :)

Answer 1

The reason why this error happens (probably) is because of a misconfigured server. You can check here: https://whatsmychaincert.com/?api.ecs.echa.europa.eu

This site will tell you if your server cert chain is properly configured, which doesn't seem so.

Also, you are able generate the full cert chain on the same site using your public key.

Try to fix this and test again.