Although I can connect to a MongoDB database on a remote server using MongoDB Compass, when I try to connect using the same URI in IntelliJ IDEA, I get the following error:
... sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I have a look at and tried workarounds on the following threads, but none of them worked:
I had already imported necessary certificate files before using the following command:
sudo /Library/Java/JavaVirtualMachines/jdk-21.jdk/Contents/Home/bin/keytool -importcert -file /<certificate_file_name>.pem
-keystore /Library/Java/JavaVirtualMachines/jdk-21.jdk/Contents/Home/lib/security/cacerts -alias "<certificate_alias>" -storepass changeit -noprompt
I also added this certificate via Tools > Server Certificates on IntelliJ IDEA as suggested on this question, and try to run the app by passing some VM options pointing to the certificate, but still getting the same error. The problem seems to be related to IntelliJ as I am able to connect using the same URI via Compass. Is there any other thing that I should check?
Assuming the "MongoDB database on a remote server" has a signed certificate.
There are probably 3 or more certificates that you need to import into your keystore.
The 3 or more certificate together form a certificate authentication chain.
Read more about certificate chains here.
The reported error message:
Fatal (CERTIFICATE_UNKNOWN): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Indicates that the certificates chain is broken. And there is a missing certificate.
In this page there are some hints/instructions using openssl or browser to identify the missing certificates.
You can also check an online certificate chain using openssl. For example, you can use the following command to check the details of a certificate from a website:
echo | openssl s_client -servername hostname -connect host:port 2>/dev/null | openssl x509 -noout -textReplace hostname with the name of the server and host:port with the host and port number of the server you want to check.
You can check a website's certificate chain using your web browser's developer tools or just by going to the web browser address bar pad lock icon. Here's how you can do it in Chrome using web developer tools:
Visit the website. Open the Developer Tools (press F12). Click on the "Security" tab. Click on "View certificate".This will show you the certificate chain for the website.
You can also recieve list of all required certificates chain from "MongoDB database on a remote server" using openssl command:
openssl s_client -servername <hostname> -connect <host>:<port> 2>/dev/null
Once you have the certificates chain:
pem files.keytool command-line tool to insert the pem files to the keystore.I think there are good answers describing the extraction process in here and here.
Also found this blog very helpful.