java-How to resolve javax.net.ssl.SSLHandshakeException:PKIX path building failed ?
How to resolve javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target exception when using http API of mailgun in java applications?
Environment
- jdk1.8.0_40
- SpringBoot 1.2.5
Problem
INFO | jvm 1 | 2020/08/29 21:14:47 | javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.Handshaker.process_record(Handshaker.java:904)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
INFO | jvm 1 | 2020/08/29 21:14:47 | at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
INFO | jvm 1 | 2020/08/29 21:14:47 | at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
INFO | jvm 1 | 2020/08/29 21:14:47 | at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
INFO | jvm 1 | 2020/08/29 21:14:47 | at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
INFO | jvm 1 | 2020/08/29 21:14:47 | at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
INFO | jvm 1 | 2020/08/29 21:14:47 | at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
INFO | jvm 1 | 2020/08/29 21:14:47 | at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
INFO | jvm 1 | 2020/08/29 21:14:47 | at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
INFO | jvm 1 | 2020/08/29 21:14:47 | at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
INFO | jvm 1 | 2020/08/29 21:14:47 | at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
INFO | jvm 1 | 2020/08/29 21:14:47 | at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
INFO | jvm 1 | 2020/08/29 21:14:47 | at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
INFO | jvm 1 | 2020/08/29 21:14:47 | at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
INFO | jvm 1 | 2020/08/29 21:14:47 | at com.bswen.wx.utils.EmailHttp.postMessage(EmailHttp.java:115)
INFO | jvm 1 | 2020/08/29 21:14:47 | at com.bswen.wx.service.EmailMessageProcessor.doRealMailSend(EmailMessageProcessor.java:587)
INFO | jvm 1 | 2020/08/29 21:14:47 | at com.bswen.wx.service.EmailMessageProcessor.lambda$realPushEmail$0(EmailMessageProcessor.java:567)
INFO | jvm 1 | 2020/08/29 21:14:47 | at com.bswen.wx.service.EmailMessageProcessor$$Lambda$4/1255380912.accept(Unknown Source)
INFO | jvm 1 | 2020/08/29 21:14:47 | at io.reactivex.internal.observers.LambdaObserver.onNext(LambdaObserver.java:63)
INFO | jvm 1 | 2020/08/29 21:14:47 | at io.reactivex.internal.operators.observable.ObservableSubscribeOn$SubscribeOnObserver.onNext(ObservableSubscribeOn.java:58)
INFO | jvm 1 | 2020/08/29 21:14:47 | at io.reactivex.internal.operators.observable.ObservableFromArray$FromArrayDisposable.run(ObservableFromArray.java:108)
INFO | jvm 1 | 2020/08/29 21:14:47 | at io.reactivex.internal.operators.observable.ObservableFromArray.subscribeActual(ObservableFromArray.java:37)
INFO | jvm 1 | 2020/08/29 21:14:47 | at io.reactivex.Observable.subscribe(Observable.java:12090)
INFO | jvm 1 | 2020/08/29 21:14:47 | at io.reactivex.internal.operators.observable.ObservableSubscribeOn$SubscribeTask.run(ObservableSubscribeOn.java:96)
INFO | jvm 1 | 2020/08/29 21:14:47 | at io.reactivex.Scheduler$DisposeTask.run(Scheduler.java:578)
INFO | jvm 1 | 2020/08/29 21:14:47 | at io.reactivex.internal.schedulers.ScheduledRunnable.run(ScheduledRunnable.java:66)
INFO | jvm 1 | 2020/08/29 21:14:47 | at io.reactivex.internal.schedulers.ScheduledRunnable.call(ScheduledRunnable.java:57)
INFO | jvm 1 | 2020/08/29 21:14:47 | at java.util.concurrent.FutureTask.run(FutureTask.java:266)
INFO | jvm 1 | 2020/08/29 21:14:47 | at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
INFO | jvm 1 | 2020/08/29 21:14:47 | at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
INFO | jvm 1 | 2020/08/29 21:14:47 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
INFO | jvm 1 | 2020/08/29 21:14:47 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
INFO | jvm 1 | 2020/08/29 21:14:47 | at java.lang.Thread.run(Thread.java:745)
INFO | jvm 1 | 2020/08/29 21:14:47 | Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.validator.Validator.validate(Validator.java:260)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
INFO | jvm 1 | 2020/08/29 21:14:47 | ... 40 common frames omitted
INFO | jvm 1 | 2020/08/29 21:14:47 | Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
INFO | jvm 1 | 2020/08/29 21:14:47 | at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
INFO | jvm 1 | 2020/08/29 21:14:47 | ... 46 common frames omitted
INFO | jvm 1 | 2020/08/29 21:14:47 |
INFO | jvm 1 | 2020/08/29 21:14:47 | 2020-08-29 21:14:47.935 ERROR 20276 --- [readScheduler-1] c.bswen.wx.utils.EmailHttp :
INFO | jvm 1 | 2020/08/29 21:14:47 |
INFO | jvm 1 | 2020/08/29 21:14:47 | javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.Handshaker.process_record(Handshaker.java:904)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
INFO | jvm 1 | 2020/08/29 21:14:47 | at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
INFO | jvm 1 | 2020/08/29 21:14:47 | at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
INFO | jvm 1 | 2020/08/29 21:14:47 | at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
Solution #1
Upgrade your JRE/JDK to 8u91 (or higher), which includes this CA root.
Solution #2
Download the CA certificate manually like this:
Iimport the “DigiCert Global Root G2” You can download the root from https://www.digicert.com/digicert-root-certificates.htm. Ensure you are downloading the correct root certificate.
Once the certificate is downloaded, you’ll need to import it into with a command like the following:
keytool -import -trustcacerts -keystore /path/to/cacerts -storepass changeit -noprompt -alias digicert-global-root-g2 -file /path/to/digicert.crt
Reason
Because Symantec’s PKI infrastructure becomes untrusted, we now need the “DigiCert Global Root G2” certificate, Some older versions of Java do not have the “DigiCert Global Root G2” CA. So you should upgrade your JDK/JRE or download and import the certificate by yourself into existing JRE/JDK.