Bootstrap FreeKB - Tomcat - Resolve "PKIX path building failed"
Tomcat - Resolve "PKIX path building failed"

Updated:   |  Tomcat articles

One of the more common errors with a Java application is "PKIX path building failed", perhaps something like this.

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

In laymen terms, this means there is some SSL issue.

As a practical example, let's say the Java application is attempting to connect to some sort of SQL server. Assuming the Java application is NOT setting the javax.net.ssl.trustStore property . . . 

System.setProperty("javax.net.ssl.trustStore", "C:\\Users\\john.doe\\cacerts");

 

Then the Java application will use the certificates in the JVMs cacerts file when establishing the SSL connection to the SQL server. "PKIX path building failed" would be returned if the JVMs cacerts file does not contain a certificate that can be used in the SSL handshake with the SQL server.

Or, let say the "PKIX path building failed" has this.

PKIX path validation failed: java.security.cert.CertPathValidationException: validity check failed

 

Sometimes, the log will identify the issue. For example, one possibility is that the SSL certificate has expired.

java.security.cert.CertificateExpiredException: NotAfter: Mon Nov 29 17:59:59 CST 2021

 

You probably want to first determine if an SSL certificate being used by Tomcat has expired. Refer to encrypting inbound requests and encrypting outbound requests to determine if a keystore or truststore on your Tomcat servers has an expired certificate.

If the keystores and truststores on your Tomcat servers do not have an expired certificate, then it is probably the case that an application deployed to one of your Tomcat application servers is attempting to connect to some other system, and the system that the application is attempting to connect to is presented an expired certificate. It is also possible that the request is being routed through other infrastructure in your internal network, such as a load balancer and firewalls, and the load balancer, firewall, or any other internal system that the request is routing through may contain the expired certificate.

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter c503a6 in the box below so that we can be sure you are a human.