PKIX path building failed SunCertPathBuilderException: unable to find valid certification path to requested target

Problem

When trying to connect to an LDAP/AD service over SSL or to a web service with custom SSL certificate, you receive the following error:

PKIX path building failed SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

The error is related to the Java Virtual Machine (JVM) in which Datameer is running. This issue might be caused by a missing or incorrect certificates in JVMs keystore or a recent security update. 

Solution

1) If this is the first time you have seen the error, review our documentation regarding Connecting to an LDAP/Active Directory service over SSL, Custom SSL Configurations, and Custom certificates for Java JVM.

2) If you have seen this error before, consider the following questions:

  • Which Certificate Authority (CA) does it use?
  • Was it your own? 
  • Do you know if the certificate or authority became revoked recently?

3) Check your Java keystore and the currently installed certificates.

The following commands can help you narrow down the cause:

  • Check a stand-alone certificate
    keytool -printcert -v -file <mydomain.crt>
  • Check which certificates are within the Java keystore
    keytool -list -v -keystore </path-to-java/keystore>
  • Check a particular keystore entry using an alias
    keytool -list -v -keystore </path-to-java/keystore> -alias <yourdomain>
  • List PKCS12 certificates
    keytool -list -keystore </path-to-java/keystore> -storepass <storepasswd> -storetype PKCS12 -v