REST client call fails with "SunCertPathBuilderException: unable to find valid certification path to requested target"

Question

I am trying to test 2 applications locally. One is a REST API server, the other is a REST client. The server runs on Open Liberty in eclipse. The client runs as a JUnit test in eclipse.

I have installed our company certificate in the truststores of the eclipse JRE and the server configuration. The unit test is configured to use the JRE which has the certificate installed and I also set the truststore location explicitly in the run configuration:

-Djavax.net.ssl.keyStore="C:\Program Files\Java\jre\lib\security\cacerts"
-Djavax.net.ssl.keyStorePassword=changeit
-Djavax.net.ssl.trustStore="C:\Program Files\Java\jre\lib\security\cacerts"
-Djavax.net.ssl.trustStorePassword=changeit
-Djavax.net.debug=all

The error message contains:

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:450)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:317)
    ... 51 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    ... 57 more

I enabled SSL debugging and saw

*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=localhost, OU=OpenLibertyServer, O=ibm, C=us
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  params: null
  modulus: <removed.....>
  public exponent: 65537
  Validity: [From: Thu Mar 19 15:08:27 CET 2020,
               To: Fri Mar 19 15:08:27 CET 2021]
  Issuer: CN=localhost, OU=OpenLibertyServer, O=ibm, C=us
  SerialNumber: [    21...29]

Certificate Extensions: 2
[1]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: localhost
]

[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: ...                                       
]

The debugging also lists all of the certificates which are in the truststore, including the one I installed.

What might be wrong or missing here?

UPDATE

I set the truststore for the client to be the exact same truststore that the server uses and the problem is 'solved'. This is naturally not realistic solution and is probably an indication that a certificate is actually missing. At least I can continue with testing...

Answer 1

"C:\Program Files\Java\jre\lib\security\cacerts" is the default java truststore, you need to add certificat chain in the java client cacerts. Export the certificat chain in CER format with a tool or with Windows and add it in your default java truststore like this:

keytool -import -trustcacerts -keystore cacerts -storepass changeit -noprompt -alias yourCertAlias -file path\to\yourCertificatChain.cer 

Alternatively if you want to switch of JRE easily you can put certificat chain in an external truststore and call it with :

-Djavax.net.ssl.trustStore=<truststore path> -javax.net.ssl.trustStorePassword=<truststorepassword>

Answer 2

I'm not sure what's the cause of your problem but in my experience it's easier to import the trusted root certificate in the Windows store (it might already be pushed there by your company) and to add this JVM option:

-Djavax.net.ssl.trustStoreType=WINDOWS-ROOT