PKIX path building failed. Should we be importing the certificate?

Question

We run a standard Linux, Apache, Tomcat, Java stack.

We had an issue over a month ago were one of the services we connect to updated their digital certificate overnight which broken the chain of trust. We got an error message of

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target connecting to POST

We did some research and found this a pretty common problem fixed by using the following

keytool -import -alias [AliasName] -keystore [PathToKeystoreFile] -file [PathToCertificate] -storepass [Password]

What confused us is their service helpdesk stated that no other customers were affected by the change and they where not sure why them updating the digital certificate broke our systems.

Fast forward a month and another service broke this time this time it was Rackspace. Handily they did an announce it on a community forum so you can see what was updated.

https://community.rackspace.com/products/f/dedicated-hybrid-hosting-forum/8674/rackspace-public-cloud-php-opencloud-sdk-errors-due-to-outdated-certificate-authority-list

The fix is exactly the same. My question is "Should we be getting these errors?" Is there a list of root certificates on our server that should be getting automatically updated? I feel we have a gap in our knowledge and by manually updating the certificates we are missing something fundamental to the correct operation of the system.

Answer 1

Keep your production JRE up to date. As a part of the Java update process your certificates will be updated. If you are running a JRE that is no longer receiving updates you will not get these and will eventually run into certificate issues.