stackoom
  简体   繁体   中英

“PKIX path building failed” despite valid Verisign certificate

 原文  2013-04-16 15:54:28       java/ ssl/ openssl

Question

I'm having a similar problem as described here:

The Webserver I talk to updated its SSL cert and now my app can't talk to it

"PKIX path building failed" exception despite having a valid Verisign certificate.

What I don't understand is why the server works fine when I hit the same URL in a web browser.

The server is sending the whole certificate chain and I can see it in my web browser: 

   (Verisign root)
     -> (VeriSign Class 3 Secure Server CA - G3) 
       -> (my server)

But for some reason, Java and OpenSSL command line tools aren't seeing it.

wget fails, and openssl s_connect only sees the intermediate "G3" certificate.

Yet IE and Chrome - no problems.

What's going on here?

3 answers

solution1
 2 ACCPTED  2013-04-16 17:19:41

What you see in the browser isn't necessarily the chain sent by the server, but it's rather the chain reconstructed by the browser. It's possible that Windows has the G3 intermediate CA as a trusted anchor, whereas the other clients don't.

To check the actual chain sent by the server, use -showcerts with s_connect : 

openssl s_client -showcerts -connect your.host.name:443

Make sure the chain is sent in the correct order: server certificate first, followed by intermediate certificates, if required. 

Certificate chain
 0 s:/.../CN=your.host.name
   i:/.../CN=VeriSign Class 3 Secure Server CA - G3
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
 1 s:/.../CN=VeriSign Class 3 Secure Server CA - G3
   i:/.../CN=Verisign root
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

(Just in case, check that you're getting the correct certs, just in case you're using SNI, but using versions of Java or OpenSSL that don't support it.)

A good tool to check this is the Qualys SSL labs test .

In addition, depending on how wget or openssl were installed, they often don't have a default list of trusted anchors, so you would have to give them a path to a bundle of CA certificates explicitly.

solution2
 0  2013-04-16 15:56:40

似乎G3不被Javaopenssl认为是可信任的

solution3
 0  2013-04-16 16:19:05

This can happen because the root certificate must reside locally (on the client) in order to be trusted. If the verisign root certificate in question is not trusted locally, then it doesn't matter if it's included in the chain sent by the server - it's not trusted by the client.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question PKIX path building failed - on valid let's encrypt certificate PKIX path building failed, but the certificate is in cacerts PKIX path building failed:certificate missing PKIX path building failed: PKIX path building failed in Java 7 but not Java 8 - Cannot connect to my HTTPS server despite having a Let's Encrypt certificate trusted by browsers PKIX path building failed : I added certificate to carcert still failing “PKIX path building failed” after importing certificate to java keystore SSLHandshakeException: PKIX path building failed with Unable to find certificate chain PKIX path building failed. Should we be importing the certificate? PKIX path building failed in Eclipse
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM