sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

[ghost]

SSL connections appear to be broken in GraalVM:

$ java SSLPoke google.com 443
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
        at sun.security.validator.Validator.validate(Validator.java:260)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:757)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138)
        at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
        ... 15 more

I found SSLPoke.class on this page: https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html

The problem also affects other Java applications, like Leiningen, which are unable to connect to any SSL secured web servers.

$ export JAVA_HOME=$HOME/graalvm-ce-1.0.0-rc2
$ java -version
openjdk version "1.8.0_171"
OpenJDK Runtime Environment (build 1.8.0_171-11)
GraalVM 1.0.0-rc2 (build 25.71-b01-internal-jvmci-0.43, mixed mode)
$ grep PRETTY_NAME /etc/os-release 
PRETTY_NAME="Fedora 28 (Twenty Eight)"

I also tried to copy over the system keystore, as described in Oracle's Java documentation, keeping the default keystore password, but without effect:

$ keytool -importkeystore -srckeystore /etc/java/java-10-openjdk/java-10-openjdk-10.0.1.10-4.fc28.x86_64/lib/security/cacerts -deststorepass "changeit" -srcstorepass "changeit"
Importing keystore /etc/java/java-10-openjdk/java-10-openjdk-10.0.1.10-4.fc28.x86_64/lib/security/cacerts to $HOME/.keystore...
[...]
Import command completed:  132 entries successfully imported, 0 entries failed or cancelled
$ java SSLPoke google.com 443
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[...]

[sureshg]

SSL/TLS support is under development. Check #392

[cstancu]

@sureshg this issue doesn't have anything to do with native-image and is not related to #392 . This issue is produced by the java command.

[sureshg]

@cstancu you are correct. My bad didn't check the exception properly.
Is this due to the root ca certs missing on GraalVM (#378)?

[ghost]

Is this due to the root ca certs missing on GraalVM (#378)?

In that case, why does importing the certificates from my distribution's OpenJDK into ~/.keystore not workaround the problem? (I tried both OpenJDK 1.8's and OpenJDK 10's copy of jre/lib/security/cacerts.)

On the other hand, copying /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.172-9.b11.fc28.x86_64/jre/lib/security/cacerts to $JAVA_HOME/jre/lib/security/cacerts does workaround the problem.

[dougxc]

@urzds I'm no expert on managing the certificates used by Java but maybe adding -Djavax.net.debug=all (as described here) may offer more clues.

[alwendt]

https://blogs.oracle.com/gc/unable-to-find-valid-certification-path-to-requested-target fixed this issue for me.

[neomatrix369]

I just to add to the above, I would suggest doing this as I still had problems when I followed the above steps, but I could fix the issue doing the below:

• (optional) make a copy of the existing $JAVA_HOME/lib/security/cacerts
• copy a valid cacerts file from the Oracle or any other vendors' JDK into the $JAVA_HOME/lib/security/
• (optional) make a copy of the existing $JAVA_HOME/jre/lib/security/cacerts
• copy a valid cacerts file from the Oracle or any other vendors' JRE into the $JAVA_HOME/jre/lib/security/

I think we need to patch both the JDK and JRE folders - any security experts who might want to help me out here?

[TohidMakari]

First of all import you'r crt file into {JAVA_HOME}/jre/security/cacerts, if you still faced with this exception, change you'r jdk version. For example from jdk1.8.0_17 to jdk1.8.0_231

[wirthi]

I am closing this ticket. I understand the ticket has been resolved already. If there is anything open for you on a recent Java/GraalVM version, please feel free to reopen with new information (and ideally a reproducer for us).