Search code examples
javacertificatessl-certificatekeystoretruststore

Sudden "unable to find valid certification path to requested target"


I have a java application that has been working fine until recently. It started raising the exception: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I have a few versions of this application. For compilation and running: some are using the Java 8 that's on my path, some are using a specific reference to a Java 11 I have and some use an embedded Red Hat Java 11... Each uses a copy of the PKCS12 keystore. So, let's assume this file isn't corrupted.

  • All suddenly stopped working with the above exception!

  • To make matters more frustrating, simulating the failing API calls on the same machine, using Postman is passing just fine!

  • If it matters, the java applications use a PKCS12 keystore, which was generated by keytool from crt+key files (which are the ones Postman is using)

Any ideas what's going on? I did have a Java update lined up, I updated (1.8.0_261 now) and restarted - still the same problem...

Update: Admin shared with me the old and new server certificates (not sure they are allowed to do that?). I was able to see some minor changes. Especially interesting looks the issuer:
Old: DigiCert SHA2 Secure Server CA, DigiCert Inc
New: DigiCert TLS RSA SHA256 2020 CA1, DigiCert Inc
I guess it's a case of new issuer not trusted by Java? And I could potentially fix this by editing my cacerts file?
Would love a little light shed on this. So, I have some feeling of understanding, please :)


Solution

  • Sure, download the new intermediate certificate from DigiCert in PEM or DER format and import it to the CA store as trusted CA.

    After that the case should get fixed.