Solved

https: Unable to find valid certification path to requested target

Posted on 2012-03-14
10
640 Views
Last Modified: 2012-03-15
To connect to an https domain I use the following code:
      //uri is a string containing the server https domain address
      URL urlGift = new URL("https://" + uri + ":443/process.cgi");
      HttpsURLConnection conn = (HttpsURLConnection) urlGift.openConnection();
      conn.setDoOutput(true);
      OutputStreamWriter wr = new OutputStreamWriter(conn.getOutputStream());
      wr.write(data);
      wr.flush();

      // Get the response
      BufferedReader rd = new BufferedReader(new InputStreamReader(conn.getInputStream()));
      String res = "";
      String line;
      while ( (line = rd.readLine()) != null) {
        res += line;
      }
      rd.close();
      return res;
--------
If I add our certificate (.cer) to my cacerts it works fine, but I'm assuming that since our certificate was signed by GoDaddy (up there must reach a CA that presumably is in my cacerts). Nevertheless I keep getting this error:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.: unable to find valid certification path to requested target.
I'm thinking that this is not very different from having a self-signed certificate. One it expires we will have to add the new one to cacerts and distribute it to 100's of users, which is what we want to avoid.
In short, I want to know why the connection is not able to go "up the chain" of certificates to trust the certificate we have.
I know I can create my own trust manager and accept whatever I want. But then what's the point of having a signed certificate by a CA?
Any takers?
0
Comment
Question by:RNMisrahi
  • 5
  • 4
10 Comments
 
LVL 86

Expert Comment

by:CEHJ
ID: 37721476
In short, I want to know why the connection is not able to go "up the chain" of certificates to trust the certificate we have.

Possibly because you haven't added ALL the certs required to form that chain. Check with GoDaddy as to what you should be doing with what they supply
0
 
LVL 7

Expert Comment

by:gudii9
ID: 37722534
check following interesting explanation, link

http://www.java-samples.com/showtutorial.php?tutorialid=210
0
 

Author Comment

by:RNMisrahi
ID: 37722557
Thanks CEHJ.
I understand what you're saying, but the way I understand it, we shouldn't need to have the whole chain of trust in our cacerts but only the root certificate. Just as a browser will trust Certificate A if it was signed by Certificate B, which was signed by Certificate C, which I trust because it's in my list of trusted certificates. I.e. a browser doesn't have the chain of every certificate. It'd be an enormous list.
In our case, our certificate is signed by:
GeoTrus DV SSL which is signed by GeoTrust Global CA.

I find it very strange that I have to add any of these intermediate certificates. Again, a browser does recognize it as a safe server because as far as I understand, the chain leads to one of the trusted certificates. Moreover, I have a C# and a Delphi application that communicate with this same site and it doesn't require me to add anything.
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LVL 86

Expert Comment

by:CEHJ
ID: 37722695
Is that your server you're trying to connect to?
0
 

Author Comment

by:RNMisrahi
ID: 37723290
Yes, this is my server. We have a few hundred users. We used to have a certificate of a different type that's expiring soon.
So we bought this certificate that has a path from GeoTrust Global to GeoTrust DV SSL to our actual certificate.
0
 

Author Comment

by:RNMisrahi
ID: 37723372
Hi CEHJ,

I've listed the cacerts and I can see there what's expected:

The original cacerts (before I import anything) has the GeoTrust Global CA but NOT the GeoTrust DV SSL.
Our certificate is signed by GeoTrust DV SSL, which is signed by GeoTrust Global CA.
Again, I would expect Java to "see" our certificate, signed by DV SSL, which signed by Global CA, which is on our cacerts.

It doesn't surprise me that when I add DV SSL to cacerts our certificate is accepted, since DV SSL signs our certificate. This is as if Java is able to only one step up the chain!

There must be a way to tell HttpsURLConnection to keep going up the chain more than one step.
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 37724160
http://support.godaddy.com/help/article/5239 shows something similar to what i guessed: no fewer than 4 certs needing to be imported
0
 

Author Comment

by:RNMisrahi
ID: 37724956
CEHJ, could you expand a bit on this?

What does it mean in practice:
Do we need to change the cacerts of our users when the Secondary Certificate (DV SSL) expires? Why can't we rely on the Primary (Global CA) which expires in 20 years?

And so we understand:
Why a browser can go up the chain of signed certificates to the root and Java can go only one certificate up?

I'm ready to assign all points as soon as we get an answer.

Thanks
0
 
LVL 86

Accepted Solution

by:
CEHJ earned 500 total points
ID: 37725675
My guess for the first question is yes. But you need to check with GoDaddy. You need to understand that i work for free here, which is one thing, but quite another to be working for free for GoDaddy too (i assume you paid them for this certification?)

The answer to the last question (and by extension to the one preceding it) is that browsers are probably able to import chains whereas java is able only to work on single entities
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 37725824
:)
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
fibonacci ten numbers 4 45
runtime exception 2 41
Running JavaFX on the Raspberry Pi 27 40
What browser will run Java? 7 57
By the end of 1980s, object oriented programming using languages like C++, Simula69 and ObjectPascal gained momentum. It looked like programmers finally found the perfect language. C++ successfully combined the object oriented principles of Simula w…
Java Flight Recorder and Java Mission Control together create a complete tool chain to continuously collect low level and detailed runtime information enabling after-the-fact incident analysis. Java Flight Recorder is a profiling and event collectio…
Viewers learn about the scanner class in this video and are introduced to receiving user input for their programs. Additionally, objects, conditional statements, and loops are used to help reinforce the concepts. Introduce Scanner class: Importing…
Viewers will learn how to properly install Eclipse with the necessary JDK, and will take a look at an introductory Java program. Download Eclipse installation zip file: Extract files from zip file: Download and install JDK 8: Open Eclipse and …

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question