
One of the more common errors with a Java application is "PKIX path building failed", perhaps something like this.
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
In laymen terms, this means there is some SSL issue.
As a practical example, let's say the Java application is attempting to connect to some sort of SQL server. Assuming the Java application is NOT setting the javax.net.ssl.trustStore property . . .
System.setProperty("javax.net.ssl.trustStore", "C:\\Users\\john.doe\\cacerts");
Then the Java application will use the certificates in the JVMs cacerts file when establishing the SSL connection to the SQL server. "PKIX path building failed" would be returned if the JVMs cacerts file does not contain a certificate that can be used in the SSL handshake with the SQL server.
Or, let say the "PKIX path building failed" has this.
PKIX path validation failed: java.security.cert.CertPathValidationException: validity check failed
Sometimes, the log will identify the issue. For example, one possibility is that the SSL certificate has expired.
java.security.cert.CertificateExpiredException: NotAfter: Mon Nov 29 17:59:59 CST 2021
You probably want to first determine if an SSL certificate being used by Tomcat has expired. Refer to encrypting inbound requests and encrypting outbound requests to determine if a keystore or truststore on your Tomcat servers has an expired certificate.
If the keystores and truststores on your Tomcat servers do not have an expired certificate, then it is probably the case that an application deployed to one of your Tomcat application servers is attempting to connect to some other system, and the system that the application is attempting to connect to is presented an expired certificate. It is also possible that the request is being routed through other infrastructure in your internal network, such as a load balancer and firewalls, and the load balancer, firewall, or any other internal system that the request is routing through may contain the expired certificate.
Did you find this article helpful?
If so, consider buying me a coffee over at