PKIX path building failed or unable to find valid certification path to requested target

“PKIX path building failed” or “unable to find valid certification path to requested target”

This tutorial guides on how to resolve “PKIX path building failed” or “unable to find valid certification path to requested target” error while trying to open Websocket connection or SSL connection .

“PKIX path building failed” or “unable to find valid certification path to requested target”

I was trying to run the sample code to test Websocket connection from the corporate network.  I got the following error which says Java is unable to find valid certification path to requested target.

javax.net.ssl|ERROR|0D|WebSocketConnectReadThread-13|2022-10-12 09:20:48.122 IST|TransportContext.java:361|Fatal (CERTIFICATE_UNKNOWN): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (
"throwable" : {
  sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
      at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
      at java.base/sun.security.validator.Validator.validate(Validator.java:264)
      at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
      at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
      at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
      at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
      at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
      at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
      at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
      at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:478)
      at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:456)
      at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:199)
      at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
      at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1369)
      at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1278)
      at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:401)
      at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:817)
      at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:906)
      at java.base/java.io.InputStream.read(InputStream.java:205)
      at org.java_websocket.client.WebSocketClient.run(WebSocketClient.java:515)
      at java.base/java.lang.Thread.run(Thread.java:834)
  Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
      at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
      at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
      at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
      ... 21 more}

Here is the sample code that I was trying.

WSSConnectionTest.java

import java.net.URI;
import java.net.URISyntaxException;

public class WSSConnectionTest {
      
      public static void main (String[] args) {
            
            try {

                  MyWebsocketClient clientEndPoint = new MyWebsocketClient (new URI("wss://lnabc89.execute-api.ap-south-1.amazonaws.com/test"));              
                  clientEndPoint.connect();
            } catch (URISyntaxException e) {                 
                  e.printStackTrace();
            } catch (Exception e) {
                  e.printStackTrace();
            }
            
      }

}

MyWebsocketClient.java

import java.net.URI;
import java.nio.ByteBuffer;
import org.java_websocket.client.WebSocketClient;
import org.java_websocket.drafts.Draft;
import org.java_websocket.handshake.ServerHandshake;

public class MyWebsocketClient extends WebSocketClient{
      
      
      public MyWebsocketClient(URI serverUri, Draft draft) {
            super(serverUri, draft);
      }

      public MyWebsocketClient(URI serverURI) {
            super(serverURI);
      }

      @Override
      public void onOpen(ServerHandshake handshakedata) {  
            System.out.println("new connection opened");
      }

      private void sendKeepAlivePingMessages() {
            // TODO Auto-generated method stub            
      }

      @Override
      public void onClose(int code, String reason, boolean remote) {
            System.out.println("closed with exit code " + code + " additional info: " + reason);
      }

      @Override
      public void onMessage(String message) {
            System.out.println("received message: " + message);
      }

      @Override
      public void onMessage(ByteBuffer message) {
            System.out.println("received ByteBuffer");
      }

      @Override
      public void onError(Exception ex) {
            System.err.println("an error occurred:" + ex);
      }

 
}

Let’s see with an example how to fix the ssl certificate or ssl handshake issue.

Solution: Fix for PKIX path building failed error

To fix the above error all you need to do is just follow the steps.

1: First, run the openssl command to get the client SSL certificates.

# openssl s_client -showcerts -connect lnabc89.execute-api.ap-south-1.amazonaws.com:443

2: Copy the certificates and paste it in a file called myclientcert.crt

3: Import or add the certificates using keytool command to your keystore

# keytool -import -alias awscert -file myclientcert.crt -keystore truststore -storepass changeit -noprompt

Note, I have the following jars, Java and class files in my work directory.

root@snelap:~/work/websockettest# ls
MyWebsocketClient.class  MyWebsocketClient.java  Java-WebSocket-1.5.3.jar  WSSConnectionTest.class  WSSConnectionTest.java  egw.crt  logback.jar  slf4j.jar  truststore

After, executing from step 1 to 3 I ran the following command to test my Websocket/SSL connection.

# java -Djavax.net.debug=all -Djavax.net.ssl.trustStore=./truststore -Djavax.net.ssl.trustStorePassword=changeit -cp ".:./Java-WebSocket-1.5.3.jar:./slf4j.jar:./logback.jar" WSSConnectionTest

Finally, you should notice that the error would have gone away!

Hope this helped 🙂

References:

Subscribe
Notify of
guest

1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Michelle Lee
1 year ago

I wanted to take a moment to thank you. Your work is greatly appreciated!