Skip to content

Instantly share code, notes, and snippets.

@Maecenas

Maecenas/Fix: PKIX Path Building Failed_Way2.md

Last active March 23, 2018 10:31
Show Gist options
  • Save Maecenas/c91de5674e9e01aa2ba7fb8f3fdd5442 to your computer and use it in GitHub Desktop.
Save Maecenas/c91de5674e9e01aa2ba7fb8f3fdd5442 to your computer and use it in GitHub Desktop.
Download ZIP
Java/JVM SSL/TLS/HTTPS Connection: PKIX Path Building Failed
Raw
Fix: PKIX Path Building Failed_Way2.md

Fix: PKIX Path Building Failed_Way2

Solution

Before calling Java Web Serivce:

trustAllHttpsCertificates();  
HttpsURLConnection.setDefaultHostnameVerifier(hv);

Implement in your code before:

HostnameVerifier hv = new HostnameVerifier()
{
  public boolean verify( String urlHostName, SSLSession session )
  {
    System.out.println( "Warning: URL Host: " + urlHostName + " vs. "
      + session.getPeerHost() );
    return(true);
  }
};

private static void trustAllHttpsCertificates() throws Exception
{
  javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];
  javax.net.ssl.TrustManager tm = new miTM();
  trustAllCerts[0] = tm;
  javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext
  .getInstance( "SSL" );
  sc.init( null, trustAllCerts, null );
  javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory( sc
    .getSocketFactory() );
}


static class miTM implements javax.net.ssl.TrustManager,
javax.net.ssl.X509TrustManager {
  public java.security.cert.X509Certificate[] getAcceptedIssuers()
  {
    return(null);
  }


  public boolean isServerTrusted(
    java.security.cert.X509Certificate[] certs )
  {
    return(true);
  }


  public boolean isClientTrusted(
    java.security.cert.X509Certificate[] certs )
  {
    return(true);
  }


  public void checkServerTrusted(
    java.security.cert.X509Certificate[] certs, String authType )
  throws java.security.cert.CertificateException
  {
    return;
  }


  public void checkClientTrusted(
    java.security.cert.X509Certificate[] certs, String authType )
  throws java.security.cert.CertificateException
  {
    return;
  }
}

Reference

Raw
Java_JVM SSL Connection-PKIX Path Building Failed.md

Java/JVM SSL/TLS/HTTPS Connection: PKIX Path Building Failed

Situation

An error occured when trying to run sonarqube in a CI step. Error traceback shows that the client are unable to connect to a SSL-encrypted private Gitlab.

ERROR: Error during Sonar runner execution
ERROR: Unable to execute Sonar
ERROR: Caused by: Failed to execute project builder: com.talanlabs.sonar.plugins.gitlab.CommitProjectBuilder
ERROR: Caused by: Unable to perform GitLab WS operation
ERROR: Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
ERROR: 
ERROR: To see the full stack trace of the errors, re-run SonarQube Runner with the -e switch.
ERROR: Re-run SonarQube Runner using the -X switch to enable full debug logging.

Solution

The client-authenticated handshake is a less popular scenario, compared with the most common one using SSL/TLS and the basic handshake. In this case, the client is required to present its certificate as well and use its private key.

  1. Import the crt into JVM's cacert. (The following of this article discusse about it.)
  2. When calling Java Web Service, ignore trusted cert (Note that bypassing HTTPS auth is insecure and should only be applied to test environment.) See the other part of this article.
# Test Java SSL Connection with SSLPoke 
$ wget https://confluence.atlassian.com/kb/files/779355358/779355357/1/1441897666313/SSLPoke.class
$ java SSLPoke gitlab.miotech.com 443

# Find the JVM key stores and trust stores
$ locate -name cacerts
./root/sonar-scanner/jre/lib/security/cacerts
./usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts

# Find exactly which one cacerts we are using
$ java -XshowSettings:properties -version

# Greping using openssl and generating public.crt
$ openssl s_client -connect gitlab.miotech.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt

# Extending the global trust store
# Enter keystore password: changeit
$ keytool -import -alias MTGitlab -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts -file /root/public.crt

Reference

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment