Unable to Connect to SSL Services due to PKIX Path Building Failed sun.security.provider.certpath.SunCertPathBuilderException

By | July 21, 2015

Symptoms

When testing the connection from Stash to JIRA, Bamboo, Crowd, etc. the following error is logged:

Caused by: sun.security.validator.ValidatorException:
    PKIX path building failed:
    sun.security.provider.certpath.SunCertPathBuilderException:
    unable to find valid certification path to requested target

Cause

Whenever Stash attempts to connect to an external service over over SSL (i.e. JIRA, Marketplace, LDAP, etc.), it will only be able to connect to it if it can trust the certificate loaded there. As Stash is an application written in Java, the way trust is handled is that you have a keystore (typically $JAVA_HOME/lib/security/cacerts) or also known as the trust store. This contains a list of all the known CA certificates and Java will only trust certificates that are signed by those CA certificate or public certificates that exist within that keystore.

Hence, this error will usually happen if:

  1. A self-signed certificate or a certificate that is not signed by a CA authority is being used to secure the external service.
  2. A certificate is loaded in an Apache Proxy between the Stash and the other application.

Resolution

Export the target application’s SSL Certificate, import it into the Stash server’s JVM TrustStore, and restart Stash in order for Stash to trust the target application.

1. Resolution for a self-signed certificate or for a certificate not signed by a CA authority:

 

 If you are running the client on a Unix environment …

1- Fetch the certificate from where you are running Stash client

From the machine where you are running Stash, fetch the certificate loaded in external service by replacing external.com:443 with the FQDN of the server Stash is attempting to connect to backup:

openssl s_client -connect external.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt

2- Import the certificate into your Java keystore:

After you fetched the certificate, import it into the JAVA_HOME you are using to run the backup client:

$JAVA_HOME/keytool -import -alias <server_name> -keystore $JAVA_HOME/lib/security/cacerts -file public.crt

Important Notes

default password for cacerts keystore is ‘changeit’

Where is my keystore?

  • Windows/Linux: $JAVA_HOME/jre/lib/security/cacerts
  • Mac OS (not supported): $JAVA_HOME/lib/security/cacerts

What is the password?

  • The default password for the Java TrustStore password is changeit.

Where is my JAVA_HOME?

  • To check for the $JAVA_HOME value, go to Admin cog icon >> Atlassian Support Tools >> System info tab and look for java.home. Use this value (full qualified path) on the $JAVA_HOME on the commands above.

 

 

 If you are running Stash on a Windows environment…

 

2. Resolution for a misconfiguration on the Apache Proxy

You need to define SSLCertificateChainFile according to Step 2 of Securing Stash with Apache using SSL. Please review your Apache Proxy configuration thoroughly against this document.

Still having problems?

Try SSLPoke to see if your truststore has the right certificates. It simply connects to a SSL service, sends a byte of input, and watches the output.

  1. Download SSLPoke.class. Note the (source) is useful for debugging.
  2. Run ‘java SSLPoke stash.com 443′, for instance, connecting to a your Stash instance with a untrusted (self-signed) certificate. If the certificate hasn’t been imported yes, you should see:
    sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    ...
    Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
     ...
  3. If you connect to a CA-verified certificate you shouldn’t see the exception above.
  4. Make sure that the version of Java you are using is the same as the one used in your source Java application
    $ which java

    The command above should show you the exact Java path that you are using to execute your backup client. Make sure you are importing the certificate into the keystore of the right Java.

  5. If the step above didn’t yield the expected error, it means that the JRE being used by Stash is different to the JRE you’re using to run SSLPoke and you need to import the certificate into theJRE being used by Stash.
    1. To find out which JRE is being used by Stash, please look into: Admin cog icon >> Atlassian Support Tools >> System information tab. Look for the value in thejava.home string under the Java Runtime Environment section.
Сomments аrchive