Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Question

I have a class that will download a file from a https server. When I run it, it returns a lot of errors. It seems that I have a problem with my certificate

Answer 1

I had the same issue with a valid signed wildcard certificate from symantec.

First try running your java application with -Djavax.net.debug=SSL to see what is really going on.

I ended up importing the intermediate certificate which was causing the cert chain to break.

I downloaded the missing intermediate cert from symantec (you can see the download link to the missing cert in the ssl handshake log: http://svrintl-g3-aia.verisign.com/SVRIntlG3.cer in my case).

And I imported the cert in the java keystore. After importing the intermediate certificate my wildcard ssl cert finally started working:

keytool -import -keystore ../jre/lib/security/cacerts -trustcacerts -alias "VeriSign Class 3 International Server CA - G3" -file /pathto/SVRIntlG3.cer

Answer 2

In my case I'm running MacOs High Sierra with Java 1.6. The cacert file is in a different location than referenced above in Gabe Martin-Dempesy's answer. The cacert file was also already linked to another location (/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/cacerts).

Using FireFox, I exported the certificate from the web site in question to a local file called "exportedCertFile.crt". From there, I used keytool to move the certificate into the cacert file. This fixed the problem.

bash-3.2# cd /Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/security/
bash-3.2# keytool -importcert -file ~/exportedCertFile.crt -alias example -keystore cacerts -storepass changeit

Answer 3

The problem appears when your server has self signed certificate. To workaround it you can add this certificate to the list of trusted certificates of your JVM.

In this article author describes how to fetch the certificate from your browser and add it to cacerts file of your JVM. You can either edit JAVA_HOME/jre/lib/security/cacerts file or run you application with -Djavax.net.ssl.trustStore parameter. Verify which JDK/JRE you are using too as this is often a source of confusion.

See also: How are SSL certificate server names resolved/Can I add alternative names using keytool? If you run into java.security.cert.CertificateException: No name matching localhost found exception.

Answer 4

Make sure that the https://176.66.3.69:6443/ have a valid certificate. you can check it via browser firstly if it works in browser it will work in java.

that is working for me

Answer 5

For those who like Debian and prepackaged Java:

sudo mkdir /usr/share/ca-certificates/test/  # don't mess with other certs
sudo cp ~/tmp/test.loc.crt /usr/share/ca-certificates/test/
sudo dpkg-reconfigure --force ca-certificates  # check your cert in curses GUI!
sudo update-ca-certificates --fresh --verbose

Don't forget to check /etc/default/cacerts for:

# enable/disable updates of the keystore /etc/ssl/certs/java/cacerts
cacerts_updates=yes

To remove cert:

sudo rm /usr/share/ca-certificates/test/test.loc.crt
sudo rm /etc/ssl/certs/java/cacerts
sudo update-ca-certificates --fresh --verbose