Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
To **resolve SSLHandshakeException**, add the server's SSL certificate into your JVM keystore.
1. **Fetch** the certificate (**Psst! We're playing spies**):
openssl s_client -connect example.com:443 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > example.crt
2. **Import** the certificate into the keystore (**Like plugging in a USB drive, but cooler**):
keytool -importcert -file example.crt -keystore $JAVA_HOME/lib/security/cacerts -alias "example.com" -storepass changeit
**Aim of the Game**: The JVM needs to trust the server's SSL certificate. If it doesn't recognize it, you get a handshake failure.
This SSLHandshakeException
typically means your JVM doesn't recognize or trust the certificate from the server. Comparable to frowning at a stranger at a party, your JVM won't communicate without a proper introduction. Let's make sure they're acquainted by adding the SSL certificate to the JVM's truststore.
The truststore is a curated list of the who's who of certificates the JVM trusts. Sounds important, right? Proceed with the fetching and importing of the certificate using openssl and keytool.
Diving Deeper: SSL Handshake and TrustStore
Take a Peek, is the certificate already there?
Check the truststore, maybe the certificate is already there partying without you.
keytool -list -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit | grep "example.com"
Refresh your Java Version
When faced with an unrecognized root certificate authority, you simply need to refresh Java. Think of it as an OS update that comes with new security features and trust for latest root certificates.
Server Configurations: Tomcat Users
Are you a Tomcat user? Set it to use Java's default truststore or the right trustStore and trustStorePassword properties. It's like setting the correct GPS coordinates before you start a journey.
Browser Detectives: SSL certificate clues
Using your browser to access the HTTPS URL can reveal valuable clues about the SSL certificate. It's a detective's tool to diagnose problems - minus the trench coat and magnifying glass.
Truststore Treasure Map
Your truststore is likely to be at: $JAVA_HOME/jre/lib/security/cacerts
. It's your treasure chest, and knowing its location is integral for any treasure hunt.
Authority Information Access to the Rescue
Using the JVM option -Dcom.sun.security.enableAIAcaIssuers=true
is like a GPS helping you retrieve any missing intermediate CA certificates. Navigate towards a problem-free SSL handshake!
Self-signed Certificates: SSL Trusting
Working with self-signed certificates? Understand your workflow.
Certificate Retrieval with OpenSSL
Custom Certificate Trust
Advanced Tackling: SSL Issues
When You Risk It All: TrustAnyTrustManager
IMPORTANT: Totally not for Production! Sometimes, as a last easy resort during testing only, you might use TrustAnyTrustManager. It’s like rolling a dice with your eyes closed.
Apache HTTPClient Sleuths
The Real SSL Deal
Real SSL verification! If you insist on keeping your data private, don't opt for the TrustAnyTrustManager shortcut in production.
Was this article helpful?