Friday, December 13, 2013

Java client unable to find valid certification path to requested target

The keytool command is used to manipulate the java keystore. Using this POB recipe you should be able to authorize any certificate including self signed certificates, even expired certificates to your keystore. Do not add a self signed or expired certificate to the keystore of production servers though! So today we had the below problem which I have seen before multiple times before:
com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:131)
However adding the certificate to the keystore had no effect. The only explanation for a behavior like this is that the client java program is not using still the certificate meaning most likely is not pointing to the keystore we think it is. Path issues are the first to look for and in my case someone for some reason pointed the java binary to the default java installation in the servers:
$ ls -al /usr/bin/java
lrwxrwxrwx 1 root root 22 Dec 13 13:39 /usr/bin/java -> /etc/alternatives/java
Which was corrected manually as:
sudo rm /usr/bin/java
sudo ln -s /opt/jdk/bin/java  /usr/bin/java

No comments:

Followers