Sudden error: ValidatorException: PKIX path building failed

Question

My Spring Boot Application uses REST to connect to different external URLs, all having the same domain. I received for this URLs certificates and different credentials.

Since 2 days now, the connections don't work anymore as I receive the "ValidatorException PKIX path building failed" Error (bellow is all the stack trace of the exception).

Before I created for each URL a specific REST Template where I have set the SSLContext toghether with the specific Keystore informations and Client Credentials.

I managed to fix the error if I added to my SSLContext the following trust stores (I received a CA file):

        // Create Trust Managers
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        Certificate ca = certificateFactory.generateCertificate(caInput);
        String alias = ((X509Certificate) ca).getSubjectX500Principal().getName();
        KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
        trustStore.load(null);
        trustStore.setCertificateEntry(alias, ca);
        TrustManager[] trustManagers = {new CustomTrustManager(trustStore)};

Can you please give me a hint:

1. How can I use the same TrustStore for all my connections? Even if I have the same domain, I have received for this URLs, different certificates and need different client credentials to connect - so for each RestTemplate object, I configure different SSLContext). I am also calling the URLs in parallel (using JMS Queues) so I was wondering if I couldn't have problems to access same CA file in the same time....
2. How can you explain why suddenly this URLs stop working? We didn't changed our Java Version, locally or in the Cloud .... I am a little new to the Authorization part and I cannot understand how it was working before and suddenly stopped.

Thank you!

  org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://....": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:696)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:644)
at org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:296)

Answer 1

What this error generally means is that the server you are trying to communicate with uses a certificate where (1) you don't have the certificate connected to your client and (2) you don't have the intermediate certificate used to create the server side certificate connected to your client. Typically, you will see this error when the certificate is either self-signed, or signed by a certificate authority not in the standard keystore of Java.

To make sure that all invocations from your client has the, you should add the certificate to the keystore used by your application. This could be either the standard java keystore, or an application-specific keystore that is connected to your JVM using startup parameters -Djavax.net.ssl.trustStore=<path to keystore> and -Djavax.net.ssl.trustStorePassword=<password> .

This error can suddenly appear if the server changed its certificate, to something that your client does not know about.

Answer 2

This problem occurs inside IDE(like Intelij), just run it terminal outside of IDE it works. to run or debug in IDE, certificate should be added in intelij.