Resolving: SunCertPathBuilderException: unable to find valid certification path to requested target
Question
Full trace of my exception is:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
First of all I'd like to say that I know that it's very common exception, and I tried to apply different solutions, I'll describe them later, but nothing help me.
So, I have two instances of tomcat 7 on same machine. Directly speaking, these instances have each own CATALINA_BASE directory, but common CATALINA_HOME . Also they are isolated - ports configured so that instances don't interfere. One instance - server - with deployed web application, servlet. And another instance for client - servlet too.
This is fragment of server.xml of server tomcat:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
truststoreFile="C:/Users/dpivovar/ssl_server.jks"
truststorePass="start123"
keystoreFile="C:/Users/dpivovar/ssl_server.jks"
keystorePass="start123"/>
And this fragment of client tomcat:
<Connector port="8444" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
truststoreFile="C:/Program Files/Java/jdk1.7.0_45/jre/lib/security/cacerts"
truststorePass="changeit"
keystoreFile="C:/Users/dpivovar/ssl_client.jks"
keystorePass="start123" />
Work flow: client make attempt to do GET to the server, but it gets exception described above.
What about certificates. I used java keytool. I made one keystore for server and separate for client . Each keystore contains private key and public certificate of corresponding side. In above example client truststore refere to the jre cacerts keystore, because one of solution i found was to put public certificate of server to the jre cacerts. but it doesn't work for me. Another solution i found ( http://www.nodsw.com/blog/leeland/2006/12/06-no-more-unable-find-valid-certification-path-requested-target ) offers via InstallCert tool to get an public certificate of server and then use it in client truststore. So now, in jre caserts there is a public certificate of server but exception is raised. Also, i have a simple client example - it's plain java program, through system property i set required paths to keystores, which i use for client, and in the same way i make GET to the server and it works, handshake occured, connection established.
So can you help me, what can be wrong, what prevents client which is deployed on tomcat to establish ssl connection with server?
2 answers
solution1
2 2014-08-19 09:35:15
truststoreFile="C:/Users/dpivovar/ssl_server.jks"
truststorePass="start123"
These attributes do not exist. You have to set them via the system properties.
solution2
0 ACCPTED 2014-08-19 05:58:41
我通过在tomcat配置系统中为keystore / truststore和keystorePassword / truststorePassword设置Java属性来解决此问题。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.