Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Java test HTTPS request to https://helloworld.letsencrypt.org/
// Based on java example: http://docs.oracle.com/javase/tutorial/networking/urls/readingWriting.html
// save as: URLConnectionReader.java
// compile using JDK: javac URLConnectionReader.java
// run: java URLConnectionReader
// good path: returns HTML
// bad path: throws an exception
import java.net.*;
import java.io.*;
public class URLConnectionReader {
public static void main(String[] args) throws Exception {
URL oracle = new URL("https://helloworld.letsencrypt.org/");
URLConnection yc = oracle.openConnection();
BufferedReader in = new BufferedReader(new InputStreamReader(
yc.getInputStream()));
String inputLine;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
in.close();
}
}

Is it working for you ?

I'm getting errors, only for helloworld.letsencrypt.org and probably other letsencypt domains, my code works for other HTTPS servers...
I'm using Java8 / OSX

Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I've even tried adding their root CA in the truststore but it doesn't work either...

Enabling ssl debug info shows
Unparseable CertificatePolicies extension due to java.io.IOException: No data available in policyQualifiers

I'm stuck now...

Owner

Firefishy commented Dec 27, 2015

@chrisDeFouRire Letsencrypt is not in the default list of CAs in the Oracle Java JDK. Discussion here: https://community.letsencrypt.org/t/will-the-cross-root-cover-trust-by-the-default-list-in-the-jdk-jre/134

Owner

Firefishy commented Jul 20, 2016

Confirmed working with Oracle JDK >= 8u101 (final release)

Owner

Firefishy commented Sep 1, 2016

Also Oracle JDK >= 7u111

VVD commented Sep 16, 2016

Error still here.
$ java -version
openjdk version "1.8.0_102"
OpenJDK Runtime Environment (build 1.8.0_102-b14)
OpenJDK 64-Bit Server VM (build 25.102-b14, mixed mode)

After copy /usr/local/linux-oracle-jdk1.8.0/jre/lib/security/cacerts to /usr/local/openjdk8/jre/lib/security/cacerts all work fine => OpenJDK have old cacerts without trust for letsencrypt.

g0ddest commented Oct 25, 2016

java -version
java version "1.8.0_111"
Java(TM) SE Runtime Environment (build 1.8.0_111-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.111-b14, mixed mode)

Error still there.

yglodt commented Oct 31, 2016

This SO-answer shows how to import the letsencrypt security chain, which "solves" the issue, even on a Raspberry Pi with jre 1.8.0_65:

http://stackoverflow.com/a/35454903/272180

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment