stackoom
  简体   繁体   中英

PKIX path building failed - on valid let's encrypt certificate

 原文  2019-06-17 08:51:16       java/ ssl/ https/ pkix

Question

I noticed today, that my services reject APIs certificate. It's not a self-signed certificate but one issued by let's encrypt. It looks fine in browsers and on some online cert checking tools, I found. It's been running just fine last week - but somehow stopped doing so over the weekend. It's Java 12 (tried OpenJDK on Mac, Linux and OpenJ9 on Linux)

Do you guys have any idea on how to debug (or even fix) this? I've checked on various 

Exception in thread "main" java.lang.IllegalStateException: OAuth Authentication failed from https://graph.homefully.tech/oauth/authorize
    at de.homefully.platform.graphclient.GraphClient.revalidateAccessToken(GraphClient.java:170)
    at de.homefully.platform.graphclient.GraphClient.execute(GraphClient.java:90)
    at de.homefully.platform.graphclient.GraphClient.query(GraphClient.java:66)
    at de.homefully.platform.adplacementjob.graphapi.AdPlacementSupplier.get(AdPlacementSupplier.java:18)
    at de.homefully.platform.adplacementjob.graphapi.AdPlacementSupplier.get(AdPlacementSupplier.java:11)
    at de.homefully.platform.adplacementjob.PlacementOrders.load(PlacementOrders.java:19)
    at de.homefully.platform.adplacementjob.JobExecutor.orderedPlacements(JobExecutor.java:38)
    at de.homefully.platform.adplacementjob.JobExecutor.main(JobExecutor.java:31)
    at de.homefully.platform.adplacementjob.RealEstateObjectPublisher.main(RealEstateObjectPublisher.java:9)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:320)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:641)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:460)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:441)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:419)
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:177)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1180)
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1091)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:404)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:364)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:374)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:221)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:165)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:140)
    at de.homefully.platform.graphclient.GraphClient.revalidateAccessToken(GraphClient.java:147)
    ... 8 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:384)
    at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:289)
    at java.base/sun.security.validator.Validator.validate(Validator.java:264)
    at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:221)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:625)
    ... 33 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:379)
    ... 39 more

1 answers

solution1
 0  2019-06-17 09:33:43

Has the certificate expired? The fact you said it stopped over the weekend suggests that it might be.

I had the same issue and this was the cause. I noticed that when it couldn't find the valid certificate, I'd get: SEVERE: I/O Exception javax.net.ssl.SSLHandshakeException: . However, when the required certificate could be found BUT had expired I'd receive the same SEVERE: I/O Exception. sun.security.validator.ValidatorException SEVERE: I/O Exception. sun.security.validator.ValidatorException .

I hope this helps.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question PKIX path building failed in Java 7 but not Java 8 - Cannot connect to my HTTPS server despite having a Let's Encrypt certificate trusted by browsers “PKIX path building failed” despite valid Verisign certificate PKIX path building failed, but the certificate is in cacerts PKIX path building failed:certificate missing PKIX path building failed: PKIX path building failed : I added certificate to carcert still failing “PKIX path building failed” after importing certificate to java keystore SSLHandshakeException: PKIX path building failed with Unable to find certificate chain PKIX path building failed. Should we be importing the certificate? PKIX path building failed in Centos 7
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM