Cannot call any Identity API because of invalid certification path

[luca-poddigue]

I'm using the latest version of the OCI Java SDK (2.21.0) and trying to get the list of available regions. I generated the API key via the console and referenced the config file and the private key as reported in the documentation.

However, I always get this error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I tried to hit https://identity.eu-milan-1.oci.oraclecloud.com with other clients, and it looks like the server certificate is self signed. How is that possible? Is there a CA for Oracle certificates? The documentation doesn't mention anything like this.

[jodoglevy]

Hi @luca-poddigue - when I go to that URL (https://identity.eu-milan-1.oci.oraclecloud.com/), it works for me and shows the connection is using a valid root-CA-signed certificate:

Are you sure there is no proxy sitting between the computer you're trying this from, and OCI? Maybe there is a proxy in between which is using a self-signed certificate. Or maybe your computer is not trusting some standard CA certs?

Do you hit the same SSL issue in either (or both) of these scenarios?

• Targeting a different OCI service (such as compute or audit) in the same OCI region
• Targeting the same OCI service (identity) in a different OCI region (such as ashburn or phoenix)

[luca-poddigue]

You are right man, there must be something in between. I tried from another laptop and it worked regularly. I guess I'll need to get it solved by my company's IT team. This issue can be closed, because it has nothing to do with OCI.

[ihudedi]

Hi @luca-poddigue I am getting same issue when trying to access OCI object storage. Only adding the certificate to my cacerts file solve this issue. Do you know why? This is my stack trace: Exception in thread "main" com.oracle.bmc.model.BmcException: (-1, null, false) Processing exception while communicating to: https://objectstorage.il-jerusalem-1.oraclecloud.com (outbound opc-request-id: F44D89FA9B844BB7BCB833D3123F5D37) at com.oracle.bmc.http.internal.RestClient.convertToBmcException(RestClient.java:994) at com.oracle.bmc.http.internal.RestClient.get(RestClient.java:221) at com.oracle.bmc.objectstorage.ObjectStorageClient.lambda$null$52(ObjectStorageClient.java:1299) at com.oracle.bmc.retrier.BmcGenericRetrier.doFunctionCall(BmcGenericRetrier.java:89) at com.oracle.bmc.retrier.BmcGenericRetrier.lambda$execute$0(BmcGenericRetrier.java:60) at com.oracle.bmc.waiter.GenericWaiter.execute(GenericWaiter.java:55) at com.oracle.bmc.retrier.BmcGenericRetrier.execute(BmcGenericRetrier.java:51) at com.oracle.bmc.objectstorage.ObjectStorageClient.lambda$listBuckets$53(ObjectStorageClient.java:1296) at com.oracle.bmc.retrier.BmcGenericRetrier.doFunctionCall(BmcGenericRetrier.java:89) at com.oracle.bmc.retrier.BmcGenericRetrier.lambda$execute$0(BmcGenericRetrier.java:60) at com.oracle.bmc.waiter.GenericWaiter.execute(GenericWaiter.java:55) at com.oracle.bmc.retrier.BmcGenericRetrier.execute(BmcGenericRetrier.java:51) at com.oracle.bmc.objectstorage.ObjectStorageClient.listBuckets(ObjectStorageClient.java:1290) at com.bmc.cm.aft.utils.OCIObjectStorageUtilsTest.main(OCIObjectStorageUtilsTest.java:44) Caused by: javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at org.glassfish.jersey.apache.connector.ApacheConnector.apply(ApacheConnector.java:531) at org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:297) at org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$0(JerseyInvocation.java:662) at org.glassfish.jersey.client.JerseyInvocation.call(JerseyInvocation.java:697) at org.glassfish.jersey.client.JerseyInvocation.lambda$runInScope$3(JerseyInvocation.java:691) at org.glassfish.jersey.internal.Errors.process(Errors.java:292) at org.glassfish.jersey.internal.Errors.process(Errors.java:274) at org.glassfish.jersey.internal.Errors.process(Errors.java:205) at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:390) at org.glassfish.jersey.client.JerseyInvocation.runInScope(JerseyInvocation.java:691) at org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:661) at org.glassfish.jersey.client.JerseyInvocation$Builder.method(JerseyInvocation.java:413) at org.glassfish.jersey.client.JerseyInvocation$Builder.get(JerseyInvocation.java:313) at com.oracle.bmc.http.internal.ForwardingInvocationBuilder.get(ForwardingInvocationBuilder.java:127) at com.oracle.bmc.circuitbreaker.internal.JaxRsCircuitBreakerImpl.lambda$decorateSupplier$0(JaxRsCircuitBreakerImpl.java:83) at io.github.resilience4j.circuitbreaker.CircuitBreaker.lambda$decorateSupplier$4(CircuitBreaker.java:197) at com.oracle.bmc.circuitbreaker.internal.JaxRsCircuitBreakerImpl.lambda$decorateSupplier$1(JaxRsCircuitBreakerImpl.java:93) at com.oracle.bmc.http.internal.RestClient.lambda$decorateSupplier$0(RestClient.java:175) at com.oracle.bmc.http.internal.RestClient.get(RestClient.java:219) ... 12 more Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:352) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:295) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:290) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1356) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1231) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1174) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1359) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1268) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:401) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:373) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72) at org.glassfish.jersey.apache.connector.ApacheConnector.apply(ApacheConnector.java:483) ... 30 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) at java.base/sun.security.validator.Validator.validate(Validator.java:264) at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222) at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1340) ... 53 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ... 59 more

Thanks, Itay

[luca-poddigue]

Hi @ihudedi, As said above, in my case it is something related to how my company internally handles certificates. It happened running the code from Windows under VPN, but for instance, after deploying the same code into a Linux machine, it worked perfectly. It's not a problem with Oracle.

[ihudedi]

Hi @luca-poddigue In my laptop under windows it's not working also without VPN.I have antivirus. In Linux machine it's works. Thanks, Itay