Explain Codes LogoExplain Codes Logo

Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?

java
ssl-handshake
truststore
ssl-verification
Alex KataevbyAlex Kataev·Oct 20, 2024
TLDR
To **resolve SSLHandshakeException**, add the server's SSL certificate into your JVM keystore.

1. **Fetch** the certificate (**Psst! We're playing spies**):

openssl s_client -connect example.com:443 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > example.crt

2. **Import** the certificate into the keystore (**Like plugging in a USB drive, but cooler**):

keytool -importcert -file example.crt -keystore $JAVA_HOME/lib/security/cacerts -alias "example.com" -storepass changeit


**Aim of the Game**: The JVM needs to trust the server's SSL certificate. If it doesn't recognize it, you get a handshake failure.

This SSLHandshakeException typically means your JVM doesn't recognize or trust the certificate from the server. Comparable to frowning at a stranger at a party, your JVM won't communicate without a proper introduction. Let's make sure they're acquainted by adding the SSL certificate to the JVM's truststore.

The truststore is a curated list of the who's who of certificates the JVM trusts. Sounds important, right? Proceed with the fetching and importing of the certificate using openssl and keytool.

Diving Deeper: SSL Handshake and TrustStore

Take a Peek, is the certificate already there?

Check the truststore, maybe the certificate is already there partying without you.

keytool -list -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit | grep "example.com"

Refresh your Java Version

When faced with an unrecognized root certificate authority, you simply need to refresh Java. Think of it as an OS update that comes with new security features and trust for latest root certificates.

Server Configurations: Tomcat Users

Are you a Tomcat user? Set it to use Java's default truststore or the right trustStore and trustStorePassword properties. It's like setting the correct GPS coordinates before you start a journey.

Browser Detectives: SSL certificate clues

Using your browser to access the HTTPS URL can reveal valuable clues about the SSL certificate. It's a detective's tool to diagnose problems - minus the trench coat and magnifying glass.

Truststore Treasure Map

Your truststore is likely to be at: $JAVA_HOME/jre/lib/security/cacerts. It's your treasure chest, and knowing its location is integral for any treasure hunt.

Authority Information Access to the Rescue

Using the JVM option -Dcom.sun.security.enableAIAcaIssuers=true is like a GPS helping you retrieve any missing intermediate CA certificates. Navigate towards a problem-free SSL handshake!

Self-signed Certificates: SSL Trusting

Working with self-signed certificates? Understand your workflow.

- **Development/testing**: Overriding SSL verification if you feel rebellious; but remember, with great power, comes great responsibility! - **Production**: Import the certificate into the trusted fortress of your truststore.

Certificate Retrieval with OpenSSL

- When **server's UI is a no-show**, use the magic of `openssl s_client` to fetch the necessary certificate.

Custom Certificate Trust

- **Installing trusted keys** is like having a verified badge on your social media account. It heightens trust, shores up security, and enables smooth SSL communication.

Advanced Tackling: SSL Issues

When You Risk It All: TrustAnyTrustManager

IMPORTANT: Totally not for Production! Sometimes, as a last easy resort during testing only, you might use TrustAnyTrustManager. It’s like rolling a dice with your eyes closed.

Apache HTTPClient Sleuths

- For **testing scenarios**, try Sherlock Holmes-ing by disabling the SSL verification in your client.

The Real SSL Deal

Real SSL verification! If you insist on keeping your data private, don't opt for the TrustAnyTrustManager shortcut in production.