I was getting an exception when attempting to consume a web service over SSL. Here is the exception:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Message: ; nested exception is: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The fix for this problem was to add GoDaddy as a trusted CA. Here are the steps I took:
1. Download gd_intermediate.cer from here.
2. I put this file in %JAVA_HOME%\jre\lib\security. You can put it anywhere you want.
3. Run the following command at a command prompt:
C:\Program Files\Java\jre1.6.0_02\bin>keytool -import -trustcacerts -alias godaddy-cert -keystore ..\lib\security\cacerts -file ..\lib\security\gd_intermediate.cer
4. You will be prompted for a password. If you have not changed the password, it will be "changeit".5. You will then get the following message if all is successful - "Certificate was added to keystore".
6. Restart Tomcat.
4 comments:
Brian, Excellent atricle. I have a question do I need to run the keytool if I upgrade JRE version?
Renu,
I am not sure if you need to run the keytool after upgrading JRE. Not sure if the JRE upgrade carries over trusted certificates that have been added. My guess would be that the upgrade takes care of things like that, but like I said, not 100% sure. You may need to ask this question on a Java forum.
People should read this.
Good find - thanks for the article.
Server owners can install gd_bundle.crt from the same repository and help every client avoid the need to install the gd_intermediate cert... not just JVM, but browsers and IMAPS clients, too.
But it appears that some JVMs don't have a cert for ValiCert, which is the ultimate signing authority for GoDaddy's chain. There's no way around installing that one.
Post a Comment