“PKIX path building failed” or “unable to find valid certification path to requested target”
This tutorial guides on how to resolve “PKIX path building failed” or “unable to find valid certification path to requested target” error while trying to open Websocket connection or SSL connection .
“PKIX path building failed” or “unable to find valid certification path to requested target”
I was trying to run the sample code to test Websocket connection from the corporate network. I got the following error which says Java is unable to find valid certification path to requested target.
javax.net.ssl|ERROR|0D|WebSocketConnectReadThread-13|2022-10-12 09:20:48.122 IST|TransportContext.java:361|Fatal (CERTIFICATE_UNKNOWN): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (
"throwable" : {
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:478)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:456)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:199)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1369)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1278)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:401)
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:817)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:906)
at java.base/java.io.InputStream.read(InputStream.java:205)
at org.java_websocket.client.WebSocketClient.run(WebSocketClient.java:515)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
... 21 more}
Here is the sample code that I was trying.
WSSConnectionTest.java
import java.net.URI;
import java.net.URISyntaxException;
public class WSSConnectionTest {
public static void main (String[] args) {
try {
MyWebsocketClient clientEndPoint = new MyWebsocketClient (new URI("wss://lnabc89.execute-api.ap-south-1.amazonaws.com/test"));
clientEndPoint.connect();
} catch (URISyntaxException e) {
e.printStackTrace();
} catch (Exception e) {
e.printStackTrace();
}
}
}
MyWebsocketClient.java
import java.net.URI;
import java.nio.ByteBuffer;
import org.java_websocket.client.WebSocketClient;
import org.java_websocket.drafts.Draft;
import org.java_websocket.handshake.ServerHandshake;
public class MyWebsocketClient extends WebSocketClient{
public MyWebsocketClient(URI serverUri, Draft draft) {
super(serverUri, draft);
}
public MyWebsocketClient(URI serverURI) {
super(serverURI);
}
@Override
public void onOpen(ServerHandshake handshakedata) {
System.out.println("new connection opened");
}
private void sendKeepAlivePingMessages() {
// TODO Auto-generated method stub
}
@Override
public void onClose(int code, String reason, boolean remote) {
System.out.println("closed with exit code " + code + " additional info: " + reason);
}
@Override
public void onMessage(String message) {
System.out.println("received message: " + message);
}
@Override
public void onMessage(ByteBuffer message) {
System.out.println("received ByteBuffer");
}
@Override
public void onError(Exception ex) {
System.err.println("an error occurred:" + ex);
}
}
Let’s see with an example how to fix the ssl certificate or ssl handshake issue.
Solution: Fix for PKIX path building failed error
To fix the above error all you need to do is just follow the steps.
1: First, run the openssl command to get the client SSL certificates.
# openssl s_client -showcerts -connect lnabc89.execute-api.ap-south-1.amazonaws.com:443
2: Copy the certificates and paste it in a file called myclientcert.crt
3: Import or add the certificates using keytool command to your keystore
# keytool -import -alias awscert -file myclientcert.crt -keystore truststore -storepass changeit -noprompt
Note, I have the following jars, Java and class files in my work directory.
root@snelap:~/work/websockettest# ls MyWebsocketClient.class MyWebsocketClient.java Java-WebSocket-1.5.3.jar WSSConnectionTest.class WSSConnectionTest.java egw.crt logback.jar slf4j.jar truststore
After, executing from step 1 to 3 I ran the following command to test my Websocket/SSL connection.
# java -Djavax.net.debug=all -Djavax.net.ssl.trustStore=./truststore -Djavax.net.ssl.trustStorePassword=changeit -cp ".:./Java-WebSocket-1.5.3.jar:./slf4j.jar:./logback.jar" WSSConnectionTest
Finally, you should notice that the error would have gone away!
Hope this helped 🙂
- How to install OpenSSL in Windows 10 64-bit Operating System ?
- Visual Studio Code Windows install location and Path issues from Terminal
- McAfee Agent cannot be removed while it is in managed mode
- Fix iPhone touch screen unresponsiveness
- How to add add 16GB RAM along with 8GB RAM – Acer Aspire 7 Laptop ?
- How do I convert a PEM file to XML RSA key ?
- Read .pem file to get public and private keys
- Generate public key and private key with OpenSSL in Windows 10
- GitHub unable to access HTTPS and SSL routines error
- Setup Proxy – OkHttpClient Proxy Settings
- How to check sshd logs and status in linux ?
- kubectl unable to connect to server
I wanted to take a moment to thank you. Your work is greatly appreciated!