Graal: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
SSL connections appear to be broken in GraalVM:
$ java SSLPoke google.com 443
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:757)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138)
at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 15 more
I found SSLPoke.class on this page: https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html
The problem also affects other Java applications, like Leiningen, which are unable to connect to any SSL secured web servers.
$ export JAVA_HOME=$HOME/graalvm-ce-1.0.0-rc2
$ java -version
openjdk version "1.8.0_171"
OpenJDK Runtime Environment (build 1.8.0_171-11)
GraalVM 1.0.0-rc2 (build 25.71-b01-internal-jvmci-0.43, mixed mode)
$ grep PRETTY_NAME /etc/os-release
PRETTY_NAME="Fedora 28 (Twenty Eight)"
I also tried to copy over the system keystore, as described in Oracle's Java documentation, keeping the default keystore password, but without effect:
$ keytool -importkeystore -srckeystore /etc/java/java-10-openjdk/java-10-openjdk-10.0.1.10-4.fc28.x86_64/lib/security/cacerts -deststorepass "changeit" -srcstorepass "changeit"
Importing keystore /etc/java/java-10-openjdk/java-10-openjdk-10.0.1.10-4.fc28.x86_64/lib/security/cacerts to $HOME/.keystore...
[...]
Import command completed: 132 entries successfully imported, 0 entries failed or cancelled
$ java SSLPoke google.com 443
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[...]
ghost
All 7 comments
SSL/TLS support is under development. Check #392
sureshg
on 24 Jun 2018
@sureshg this issue doesn't have anything to do with native-image and is not related to #392 . This issue is produced by the java command.
cstancu
on 24 Jun 2018
@cstancu you are correct. My bad didn't check the exception properly.
Is this due to the root ca certs missing on GraalVM (https://github.com/oracle/graal/issues/378)?
sureshg
on 26 Jun 2018
Is this due to the root ca certs missing on GraalVM (#378)?
In that case, why does importing the certificates from my distribution's OpenJDK into ~/.keystore not workaround the problem? (I tried both OpenJDK 1.8's and OpenJDK 10's copy of jre/lib/security/cacerts.)
On the other hand, copying /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.172-9.b11.fc28.x86_64/jre/lib/security/cacerts to $JAVA_HOME/jre/lib/security/cacerts does workaround the problem.
ghost
on 27 Jun 2018
@urzds I'm no expert on managing the certificates used by Java but maybe adding -Djavax.net.debug=all (as described here) may offer more clues.
dougxc
on 27 Jun 2018
https://blogs.oracle.com/gc/unable-to-find-valid-certification-path-to-requested-target fixed this issue for me.
alwendt
on 12 Dec 2018
I just to add to the above, I would suggest doing this as I still had problems when I followed the above steps, but I could fix the issue doing the below:
- (optional) make a copy of the existing
$JAVA_HOME/lib/security/cacerts - copy a valid
cacertsfile from the Oracle or any other vendors' JDK into the$JAVA_HOME/lib/security/ - (optional) make a copy of the existing
$JAVA_HOME/jre/lib/security/cacerts - copy a valid
cacertsfile from the Oracle or any other vendors' JRE into the$JAVA_HOME/jre/lib/security/
I think we need to patch both the JDK and JRE folders - any security experts who might want to help me out here?
neomatrix369
on 15 Dec 2018
Related issues
borkdude
路
3Comments
koduki
路
3Comments
sxend
路
3Comments
guaporocco
路
3Comments
gersonimo
路
3Comments
Most helpful comment
In that case, why does importing the certificates from my distribution's OpenJDK into
~/.keystorenot workaround the problem? (I tried both OpenJDK 1.8's and OpenJDK 10's copy ofjre/lib/security/cacerts.)On the other hand, copying
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.172-9.b11.fc28.x86_64/jre/lib/security/cacertsto$JAVA_HOME/jre/lib/security/cacertsdoes workaround the problem.