SunCertPathBuilderException: unable to find valid certification path to requested target when connecting to OCI object storage

[ihudedi]

Hi, When connecting to OCI Object storage I am getting this error. I have to import the certificate to my cacerts file that it would work. Exception in thread "main" com.oracle.bmc.model.BmcException: (-1, null, false) Processing exception while communicating to: https://objectstorage.il-jerusalem-1.oraclecloud.com (outbound opc-request-id: 9228FD3067364988BED36B05B136DEAC) at com.oracle.bmc.http.internal.RestClient.convertToBmcException(RestClient.java:994) at com.oracle.bmc.http.internal.RestClient.get(RestClient.java:221) at com.oracle.bmc.objectstorage.ObjectStorageClient.lambda$null$52(ObjectStorageClient.java:1299) at com.oracle.bmc.retrier.BmcGenericRetrier.doFunctionCall(BmcGenericRetrier.java:89) at com.oracle.bmc.retrier.BmcGenericRetrier.lambda$execute$0(BmcGenericRetrier.java:60) at com.oracle.bmc.waiter.GenericWaiter.execute(GenericWaiter.java:55) at com.oracle.bmc.retrier.BmcGenericRetrier.execute(BmcGenericRetrier.java:51) at com.oracle.bmc.objectstorage.ObjectStorageClient.lambda$listBuckets$53(ObjectStorageClient.java:1296) at com.oracle.bmc.retrier.BmcGenericRetrier.doFunctionCall(BmcGenericRetrier.java:89) at com.oracle.bmc.retrier.BmcGenericRetrier.lambda$execute$0(BmcGenericRetrier.java:60) at com.oracle.bmc.waiter.GenericWaiter.execute(GenericWaiter.java:55) at com.oracle.bmc.retrier.BmcGenericRetrier.execute(BmcGenericRetrier.java:51) at com.oracle.bmc.objectstorage.ObjectStorageClient.listBuckets(ObjectStorageClient.java:1290) at com.bmc.cm.aft.utils.OCIObjectStorageUtilsTest.main(OCIObjectStorageUtilsTest.java:46) Caused by: javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at org.glassfish.jersey.apache.connector.ApacheConnector.apply(ApacheConnector.java:531) at org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:297) at org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$0(JerseyInvocation.java:662) at org.glassfish.jersey.client.JerseyInvocation.call(JerseyInvocation.java:697) at org.glassfish.jersey.client.JerseyInvocation.lambda$runInScope$3(JerseyInvocation.java:691) at org.glassfish.jersey.internal.Errors.process(Errors.java:292) at org.glassfish.jersey.internal.Errors.process(Errors.java:274) at org.glassfish.jersey.internal.Errors.process(Errors.java:205) at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:390) at org.glassfish.jersey.client.JerseyInvocation.runInScope(JerseyInvocation.java:691) at org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:661) at org.glassfish.jersey.client.JerseyInvocation$Builder.method(JerseyInvocation.java:413) at org.glassfish.jersey.client.JerseyInvocation$Builder.get(JerseyInvocation.java:313) at com.oracle.bmc.http.internal.ForwardingInvocationBuilder.get(ForwardingInvocationBuilder.java:127) at com.oracle.bmc.circuitbreaker.internal.JaxRsCircuitBreakerImpl.lambda$decorateSupplier$0(JaxRsCircuitBreakerImpl.java:83) at io.github.resilience4j.circuitbreaker.CircuitBreaker.lambda$decorateSupplier$4(CircuitBreaker.java:197) at com.oracle.bmc.circuitbreaker.internal.JaxRsCircuitBreakerImpl.lambda$decorateSupplier$1(JaxRsCircuitBreakerImpl.java:93) at com.oracle.bmc.http.internal.RestClient.lambda$decorateSupplier$0(RestClient.java:175) at com.oracle.bmc.http.internal.RestClient.get(RestClient.java:219) ... 12 more Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:352) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:295) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:290) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1356) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1231) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1174) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1359) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1268) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:401) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:373) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72) at org.glassfish.jersey.apache.connector.ApacheConnector.apply(ApacheConnector.java:483) ... 30 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) at java.base/sun.security.validator.Validator.validate(Validator.java:264) at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222) at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1340) ... 53 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ... 59 more

Thanks, Itay

[jodoglevy]

@ihudedi it sounds like your machine does not trust the certificate authority (CA) which signs the OCI endpoints' certificates in Jerusalem. So the fact that you have to import the certificate to your trust store is to be expected.

On my machine, I can see that the machine by default trusts this CA / certificate:

[ihudedi]

Hi @jodoglevy How can I check from my machine or from my java that the certificate isn't trusted? Thanks, Itay

[jodoglevy]

@ihudedi for the machine level, it depends on what type of operating system you have and OS version. You should be able to find docs on the internet on how to import trusted certs into the machine cert store for your OS version.

For Java cert store, see https://connect2id.com/blog/importing-ca-root-cert-into-jvm-trust-store for more info on how to do this

[jodoglevy]

@ihudedi are you still in need of assistance, or can this issue be closed?

[ihudedi]

Hi @jodoglevy I am still having issues how to connect to your endpoint without adding the certificate to my cacerts file. How can I check that my machine/firewall/anti virus block this ? https://objectstorage.il-jerusalem-1.oraclecloud.com/ Thanks, Itay

[jodoglevy]

@ihudedi you can follow https://connect2id.com/blog/importing-ca-root-cert-into-jvm-trust-store or https://docs.oracle.com/en-us/iaas/Content/API/Concepts/sdk_troubleshooting.htm section "SSL errors", "Java" subsection, method 1 "Import CA certificates to the Java Keystore".

I can't speak to why your machine doesn't trust this typical CA cert by default.

[jodoglevy]

@ihudedi are you still in need of assistance? If we don't hear from you for another week, we'll close this ticket

[ihudedi]

Hi @jodoglevy I import the certificate to my cacerts file and it's working. Seems like I have issue in my laptop due to firewall or antivirus.in other machines it works fine. Thanks, Itay

[jodoglevy]

Glad you got it working!