JDK8 -> JDK10: PKIX path building failed: SunCertPathBuilderException: unable to find valid certification path to requested target
Question
Problem
- I have a SpringBoot application using an app called
Launchdarkly, which makes use ofokhttp - I'm migrating from JRE 8 to JRE 10, calls to other resources work, but fails in calls made using
okhttp
EDIT : This could happen with any app that has a certificate chain similar to the one used by our app.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Exception
The error occurs in thie thread...
config-server_1 | 2018-11-10T21:25:19,147 67327 | DEBUG | okhttp-eventsource-[] ["okhttp-eventsource-stream-[]-0" {}] Connection problem.
config-server_1 | javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
config-server_1 | at sun.security.ssl.Alerts.getSSLException(Alerts.java:198) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1974) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:345) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:339) ~[?:?]
config-server_1 | at sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1968) ~[?:?]
config-server_1 | at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1777) ~[?:?]
config-server_1 | at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:264) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1098) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.processRecord(Handshaker.java:1026) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1429) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[?:?]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:281) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:251) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.connect(RealConnection.java:151) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:195) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
Setup
- Using
jlinkand selecting modules to build a small JRE- Installed using Docker at https://dev.to/gimlet2/dockerizing-java-10-spring-boot-app-3b4c
- Current app runs on JRE8 in Docker (same base image)
- I only have
JAVA_HOMEset... Not sure if we need anything else
Java 10 version details
Installed using the method above
root@e0776fd790e7:/runtime# ls -la /etc/ssl/certs/java/cacerts
-rw-r--r-- 1 root root 177280 Oct 29 16:29 /etc/ssl/certs/java/cacerts
root@e0776fd790e7:/runtime# java -version
openjdk version "10" 2018-03-20
OpenJDK Runtime Environment 18.3 (build 10+46)
OpenJDK 64-Bit Server VM 18.3 (build 10+46, mixed mode)
Keystore is set
The java 10 keystore can see it
root@17000659d1ec:/runtime# keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 80 entries
This is as described at https://dzone.com/articles/openjdk-10-now-includes-root-ca-certificates
Attempts
- I'd like to learn if there's anything you can help
- Tried to call cacerts from java 8 to java 10
-
Tried to symlink or copy cacerts from JRE dir to
/etc/ssl/certs/java/cacertsWORKS! ALONG WITH COPYING FROM JDK 8 - Tried setting
-Djavax.net.ssl.trustStore=/opt/jdk-minimal/jre/lib/security/cacerts
EDIT: See my answer
1 answers
solution1
2 ACCPTED 2018-11-11 07:59:19
Solution when migrating from JDK 8 to JDK 10
- The certificates are really different
- JDK 10 has 80, while JDK 8 has 151
- JDK 10 has been recently added the
certs
JDK 10
root@c339504909345:/opt/jdk-minimal/jre/lib/security # keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 80 entries
JDK 8
root@c39596768075:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts # keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 151 entries
Steps to fix
I haven't checked which certificate chain is not being trusted, but the server's URL certs are valid... The cacerts from JDK 10 has a chain that's broken as of Today. I can assert that because the download from https://download.java.net/java/GA/jdk10/10/binaries/openjdk-10_linux-x64_bin.tar.gz is being installed in a brand new Docker Image.
- I deleted the JDK 10 cert and replaced it with the JDK 8
- Since I'm building Docker Images, I could quickly do that using Multi-stage builds
- I'm building a minimal JRE using
jlinkas/opt/jdk/bin/jlink \\ --module-path /opt/jdk/jmods...
- I'm building a minimal JRE using
So, here's the different paths and the sequence of the commands...
# Java 8
COPY --from=marcellodesales-springboot-builder-jdk8 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts /etc/ssl/certs/java/cacerts
# Java 10
RUN rm -f /opt/jdk-minimal/jre/lib/security/cacerts
RUN ln -s /etc/ssl/certs/java/cacerts /opt/jdk-minimal/jre/lib/security/cacerts
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
javax.mail.MessagingException: PKIX path building failed: SunCertPathBuilderException: unable to find valid certification path to requested target;
PKIX path building failed: SunCertPathBuilderException: unable to find valid certification path to requested target
SSLHandshakeException: PKIX path building failed SunCertPathBuilderException: unable to find valid certification path to requested target
PKIX building failed:sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
CXF:PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target?
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
unable to find valid certification path to requested target PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException
PKIX path building failed: SunCertPathBuilderException: unable to find valid certification path to requested
PKIX path building failed: unable to find valid certification path to requested target - imported CERT
Related Tags