Skip to content
BSWEN
Blog

How to resolve javax.net.ssl.SSLHandshakeException:PKIX path building failed ?

Cowrie
Cowrie
Dev @ Bswen

How to resolve javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target exception when using HTTP API of Mailgun in Java applications?

Environment

  • JDK 1.8.0_40
  • Spring Boot 1.2.5

Problem

error.log
INFO   | jvm 1    | 2020/08/29 21:14:47 | javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at sun.security.ssl.Handshaker.process_record(Handshaker.java:904)
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
INFO   | jvm 1    | 2020/08/29 21:14:47 |       at com.bswen.wx.utils.EmailHttp.postMessage(EmailHttp.java:115)

Solution #1

Upgrade your JRE/JDK to 8u91 (or higher), which includes this CA root.

Solution #2

Download the CA certificate manually like this:

Import the “DigiCert Global Root G2”. You can download the root from DigiCert Root Certificates. Ensure you are downloading the correct root certificate.

Once the certificate is downloaded, you’ll need to import it using a command like the following:

import_certificate.sh
keytool -import -trustcacerts -keystore /path/to/cacerts -storepass changeit -noprompt -alias digicert-global-root-g2 -file /path/to/digicert.crt

Reason

Because Symantec’s PKI infrastructure becomes untrusted, we now need the “DigiCert Global Root G2” certificate. Some older versions of Java do not have the “DigiCert Global Root G2” CA. So you should upgrade your JDK/JRE or download and import the certificate manually into the existing JRE/JDK.

Summary

The javax.net.ssl.SSLHandshakeException: PKIX path building failed error occurs when the Java application cannot establish a trusted SSL connection due to a missing CA certificate. This post provides two solutions: upgrading the JDK/JRE to a version that includes the required certificate or manually importing the “DigiCert Global Root G2” certificate. Both methods ensure that your Java application can establish a secure connection with services like Mailgun.

Final Words + More Resources

My intention with this article was to help others who might be considering solving such a problem. So I hope that’s been the case here. If you still have any questions, don’t hesitate to ask me by email: Email me

Here are also the most important links from this article along with some further resources that will help you in this scope:

Oh, and if you found these resources useful, don’t forget to support me by starring the repo on GitHub!

Tags: