• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Unable to find valid certification path to requested target

 
Ranch Hand
Posts: 270
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi.

I have some server SSL certificates "installed" / "placed" on my Tomcat server to be able to call some external web services using HTTPS.

The Tomcat container is automatically restarted every night. Sometimes, not every day, which is strange, I get this error after a restart:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This is how I install the certificates:
I just upload the certificates "Filename.crt" to the java security folder: "/usr/java/to/path/to/jre/security/Filename.crt"

Question 1:
Why does this error occour from time to time only and not every day?

Question 2:
What is the difference between putting the certificates in the folder "/usr/java/to/path/to/jre/security/" like I do versus importing the certificates to a keystore using Java Keytool, ie:
keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

Question 3:
I read that all root CA have to be imported into Java keystore: please see:
http://stackoverflow.com/questions/7205418/truststore-and-reocurring-unable-to-find-valid-certification-path-to-requested

Is that right?
I hope you can help give me some answers please?
 
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Are you saying that Tomcat restarts by itself every day? Or do you explcitly restart it for some reason?

Regardless, trusted CA certificates may be in one of many places: i) the cacerts file from JAVA_HOME/jre/lib/security; ii) application-specific keystore.jks files; or iii) any file of your choice.

When the CA cert is imported using keytool into cacerts, the certificate is trusted by ALL applications that use that JVM.

When the CA cert is imported using keytool into a specific keystore.jks file, the certificate is trusted by that specific application using that keystore; in your case, it would be the Tomcat application.

When the CA cert is imported using keytool into a filename of your choice, the certificate is NOT visible to anything unless you specify options on the command-line to Java that it should use the custom file with the CA cert in it.

As for the file stored as Filename.crt in the JAVA_HOME/jre/lib/security folder, it does nothing. Unless you've created some application or script that automatically imports files with a .crt extension into the cacerts file each time you restart. That might explain the bizarre behavior you're seeing.

Arshad Noor
StrongAuth, Inc.
 
Jeppe Sommer
Ranch Hand
Posts: 270
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes Tomcat restarts itself every day.

I have created my own keystore called myCompany.jks. This keystore is located in: $JAVA_HOME/jre/lib/security/myCompany.jks.

I have imported all certificates into this keystore, both the CARoot and lowest certificates in the chain.

I use the keytool command:
keytool -import -trustcacerts -file CARoot.crt -alias CARoot -keystore $JAVA_HOME/jre/lib/security/myCompany

So from what you are saying:

When the CA cert is imported using keytool into a filename of your choice, the certificate is NOT visible to anything unless you specify options on the command-line to Java that it should use the custom file with the CA cert in it.


- the conclusion is, that I have to import the certificates into cacerts instead of using my own keystore called myCompany.jks?

What is strange is that it works sometimes, but only from time to time.

I have read that you can setup a connector in Tomcat /conf/server.xml configuration file, please see:
http://tomcat.apache.org/tomcat-5.5-doc/config/http.html

- but it didn't help either.


 
Arshad Noor
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

- the conclusion is, that I have to import the certificates into cacerts instead of using my own keystore called myCompany.jks?



If you want it to consistently work without specifying any -D options for specific keystores/truststores, then yes, you should pull the trusted CA cert into the "cacerts" file. Alternatively, you can keep it in your custom file, but consistently specify the location of the keystore/truststore on the command-line that starts the JVM; see this thread for more: https://coderanch.com/t/561288/Security/javax-net-ssl-keyStore-javax.

Arshad Noor
StrongAuth, Inc.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic