bdemers
commented
3 years ago Hey @degerlac!
There are a couple of common reasons for seeing this. 1.) You are connecting through some sort of proxy / VPN / network scanner 2.) You have your Okta Org setup with a custom domain and it does NOT have the full certification chain setup
Without any more info I'm going into guess the second, but here is an easy way to test it:
- Go to: https://ssltools.digicert.com/checker/views/checkInstallation.jsp
- Type in your domain for example.
id.example.com - Click on the "Certificate Chain" tab (and check for errors)
If you see errors on this tab, you can correct the problem by following this guide: https://developer.okta.com/docs/guides/custom-url-domain/enable-the-custom-domain/
The "chain" is optional for some clients (for example most browser connections don't need it), but many languages/frameworks (e.g. Java) require the full chain to be installed.
Either way, let me know if this helps, it's possible we could catch this error and provide better instructions, (but I'm just making an educated guess)
Assuming I'm wrong, let me know your Okta Org / URL and I can take a look. If you don't want to put that info in this issue, you can send it to Okta support, and reference this issue, and tell them to pass the info to @bdemers 😉
klongmitre
I am running OpenJDK 11 on Mac OS 10.15.7. When I run
okta startand select any number to download it fails with a PKIX error. I would really like to use the tool, but I can't get off first base. What URL is it trying to access?com.okta.commons.http.HttpException: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.okta.commons.http.httpclient.HttpClientRequestExecutor.executeRequest(HttpClientRequestExecutor.java:191) at com.okta.commons.http.RetryRequestExecutor.doExecuteRequest(RetryRequestExecutor.java:147) at com.okta.commons.http.RetryRequestExecutor.executeRequest(RetryRequestExecutor.java:120) at com.okta.sdk.impl.ds.DefaultDataStore.execute(DefaultDataStore.java:443) at com.okta.sdk.impl.ds.DefaultDataStore.lambda$getResourceData$1(DefaultDataStore.java:196) at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:47) at com.okta.sdk.impl.ds.cache.WriteCacheFilter.filter(WriteCacheFilter.java:34) at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:52) at com.okta.sdk.impl.ds.cache.ReadCacheFilter.filter(ReadCacheFilter.java:42) at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:52) at com.okta.sdk.impl.ds.DefaultDataStore.getResourceData(DefaultDataStore.java:208) at com.okta.sdk.impl.ds.DefaultDataStore.getResource(DefaultDataStore.java:177) at com.okta.sdk.impl.ds.DefaultRequestBuilder.get(DefaultRequestBuilder.java:90) at com.okta.cli.common.service.DefaultAuthorizationServerService.authorizationServersMap(DefaultAuthorizationServerService.java:33) at com.okta.cli.commands.apps.CommonAppsPrompts.getIssuer(CommonAppsPrompts.java:36) at com.okta.cli.commands.Start.runCommand(Start.java:122) at com.okta.cli.commands.BaseCommand.call(BaseCommand.java:41) at com.okta.cli.commands.BaseCommand.call(BaseCommand.java:26) at picocli.CommandLine.executeUserObject(CommandLine.java:1783) at picocli.CommandLine.access$900(CommandLine.java:145) at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2150) at picocli.CommandLine$RunLast.handle(CommandLine.java:2144) at picocli.CommandLine$RunLast.handle(CommandLine.java:2108) at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:1975) at picocli.CommandLine.execute(CommandLine.java:1904) at com.okta.cli.OktaCli.run(OktaCli.java:64) at com.okta.cli.OktaCli.main(OktaCli.java:54) Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alert.createSSLException(Alert.java:131) at sun.security.ssl.TransportContext.fatal(TransportContext.java:349) at sun.security.ssl.TransportContext.fatal(TransportContext.java:292) at sun.security.ssl.TransportContext.fatal(TransportContext.java:287) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:171) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1409) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1315) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) at com.okta.commons.http.httpclient.HttpClientRequestExecutor.executeRequest(HttpClientRequestExecutor.java:186) ... 26 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) at sun.security.validator.Validator.validate(Validator.java:264) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) ... 51 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ... 57 more