LaunchDarkly Client initialing failed even add LaunchDarkly Certificate to java key store.

[anranstl]

Hello,

I'm using launchdarkly-java-server-sdk(version: 5.10.0) in Maven, After deployed to our dev environment, we got following error when create LDClient:

2022-09-05T16:52:13.117+1000 ERROR LaunchDarkly Client initialized failed: NETWORK_ERROR(javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)@2022-09-05T06:51:55.947810Z

After 5 min's google, I got inspiration from this issue: https://github.com/launchdarkly/java-server-sdk/issues/124

I've added the CAs to JKS from following two URL, but unfortunately, none of them works. https://app.launchdarkly.com/ https://launchdarkly.com/

Much apricated if any one can help on this, thanks a lot.

[eli-darkly]

Those aren't the hostnames that this SDK connects to; it uses sdk.launchdarkly.com, stream.launchdarkly.com, and events.launchdarkly.com. However, I'm 99% sure that all of the LD subdomains use the same root CA, so I'm not sure that that would explain it.

Would you mind instead filing a support ticket at support.launchdarkly.com ? The support team has more experience with troubleshooting issues like this which may involve details of your runtime environment - here you're just talking to the maintainers of the Java SDK code.

[anranstl]

Hi, thank you very much, already raised a support ticket. This issue seems very common in java development, almost 99.9% solution suggest to add the certification from the using API address. so technically, it should work if I add CA from sdk.launchdarkly.com. will try again in our Linux server.

[eli-darkly]

It is indeed a very common issue in Java development, but something seems not quite right here. What it's trying to find in the local keystore is not the certificate for the target host itself (like, sdk.launchdarkly.com), but rather the CA— the trusted certificate that the host's certificate relies on as an authority. And we don't have a different CA for each hostname; launchdarkly.com, app.launchdarkly.com, and sdk.launchdarkly.com all use the same CA as far as I can tell. If you already retrieved it and added it for any of those addresses, it should be working for all of them. So if it's not working, either something else is going on, or there was something wrong with the procedure you used.

[eli-darkly]

Sorry, I was wrong: app.launchdarkly.com does have the same CA as sdk.launchdarkly.com; but launchdarkly.com, stream.launchdarkly.com, and events.launchdarkly.com do not. So I guess you will need to do it for each one after all.

[anranstl]

oh, yeah, I noticed that when I added them to jks, already add them all, still no lucky.

[eli-darkly]

OK... sorry, I'm not sure what's going on then, and I hope the support team can help.

[eli-darkly]

Our SDK code doesn't do anything unusual regarding certificates. We are using the OkHttp client, and its default behavior is to use the default keystore and truststore provided by the JVM.

[anranstl]

Sorry for the late reply, add root CA of stream.launchdarkly.com will fix this issue, thank you very much.

[vaenuganti]

Hi - Could you please elaborate on how the issue was fixed. I am facing same issue.