Symptoms
When testing the connection from Stash to JIRA, Bamboo, Crowd, etc. the following error is logged:
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target |
Cause
Whenever Stash attempts to connect to an external service over over SSL (i.e. JIRA, Marketplace, LDAP, etc.), it will only be able to connect to it if it can trust the certificate loaded there. As Stash is an application written in Java, the way trust is handled is that you have a keystore (typically $JAVA_HOME/lib/security/cacerts) or also known as the trust store. This contains a list of all the known CA certificates and Java will only trust certificates that are signed by those CA certificate or public certificates that exist within that keystore.
Hence, this error will usually happen if:
- A self-signed certificate or a certificate that is not signed by a CA authority is being used to secure the external service.
- A certificate is loaded in an Apache Proxy between the Stash and the other application.
Resolution
Export the target application’s SSL Certificate, import it into the Stash server’s JVM TrustStore, and restart Stash in order for Stash to trust the target application.
1. Resolution for a self-signed certificate or for a certificate not signed by a CA authority:
2. Resolution for a misconfiguration on the Apache Proxy
You need to define SSLCertificateChainFile according to Step 2 of Securing Stash with Apache using SSL. Please review your Apache Proxy configuration thoroughly against this document.
Still having problems?
Try SSLPoke to see if your truststore has the right certificates. It simply connects to a SSL service, sends a byte of input, and watches the output.
- Download SSLPoke.class. Note the (source) is useful for debugging.
- Run ‘java SSLPoke stash.com 443′, for instance, connecting to a your Stash instance with a untrusted (self-signed) certificate. If the certificate hasn’t been imported yes, you should see:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target...Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target... - If you connect to a CA-verified certificate you shouldn’t see the exception above.
- Make sure that the version of Java you are using is the same as the one used in your source Java application
$ which java
The command above should show you the exact Java path that you are using to execute your backup client. Make sure you are importing the certificate into the keystore of the right Java.
- If the step above didn’t yield the expected error, it means that the JRE being used by Stash is different to the JRE you’re using to run SSLPoke and you need to import the certificate into theJRE being used by Stash.
- To find out which JRE is being used by Stash, please look into:
Admin cog icon >> Atlassian Support Tools >> System information tab. Look for the value in thejava.homestring under the Java Runtime Environment section.
- To find out which JRE is being used by Stash, please look into: