search

perma-id / w3id.org

Website source code for w3id.org.
https://w3id.org/
281 stars 1.2k forks source link

Unable to find valid certification path #1063

Open megankatsumi opened 6 years ago

megankatsumi commented 6 years ago

I am using w3id.org a means of creating persistent, de-referenceable namespaces for a set of ontologies. Recently, I have encountered the following error when attempting to load the ontologies in Protege via the w3id url: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This is the first time I've encountered such an issue, (and have not recently updated Protege); the ontologies have been loading successfully via the w3id url prior to this. They also still load successfully via their current url on GitHub.

Any suggestions to fix this?

davidlehn commented 6 years ago

I don't know what that error means. Our prior cert was expiring recently and we switched w3id.org over to letsencrypt. We haven't had other reports of problems though. Which url is it? Do you have a more detailed error? Is w3id.org cert failing or did that pass and the target it redirected to is having problems?

megankatsumi commented 6 years ago

Hi David, The error seems to be occurring with all of the urls that I am using w3id.org for (within the /icity directory). It looks to me like the issue is with the wi3d.org cert, as the redirect targets open without issue when I use those urls instead. The stack trace that is provided by Protege is appended below.

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Full Stack Trace

org.semanticweb.owlapi.io.OWLOntologyCreationIOException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at uk.ac.manchester.cs.owl.owlapi.OWLOntologyFactoryImpl.loadOWLOntology(OWLOntologyFactoryImpl.java:207) at uk.ac.manchester.cs.owl.owlapi.OWLOntologyManagerImpl.actualParse(OWLOntologyManagerImpl.java:1099) at uk.ac.manchester.cs.owl.owlapi.OWLOntologyManagerImpl.loadOntology(OWLOntologyManagerImpl.java:1055) at uk.ac.manchester.cs.owl.owlapi.OWLOntologyManagerImpl.loadOntologyFromOntologyDocument(OWLOntologyManagerImpl.java:1011) at org.protege.editor.owl.model.io.OntologyLoader.loadOntologyInternal(OntologyLoader.java:101) at org.protege.editor.owl.model.io.OntologyLoader.lambda$loadOntologyInOtherThread$210(OntologyLoader.java:60) at org.protege.editor.owl.model.io.OntologyLoader$$Lambda$103/1730595113.call(Unknown Source) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969) at sun.security.ssl.Handshaker.process_record(Handshaker.java:904) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) at org.semanticweb.owlapi.io.AbstractOWLParser.getInputStream(AbstractOWLParser.java:102) at org.semanticweb.owlapi.io.AbstractOWLParser.getInputSource(AbstractOWLParser.java:232) at org.semanticweb.owlapi.rdf.rdfxml.parser.RDFXMLParser.parse(RDFXMLParser.java:72) at uk.ac.manchester.cs.owl.owlapi.OWLOntologyFactoryImpl.loadOWLOntology(OWLOntologyFactoryImpl.java:197) ... 10 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) ... 24 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ... 30 more

davidlehn commented 6 years ago

There's not much info in that monster stack trace. What URL is failing exactly? Does the URL work in other tools? Maybe the Java code doesn't know about whatever root cert letsencrypt uses? Can your tool handle other sites that use letsencrypt certs? Can it fetch https://letsencrypt.org/ itself?

megankatsumi commented 6 years ago

https://w3id.org/icity/UrbanSystem/ is one example of the urls that are failing.

Maybe the Java code doesn't know about whatever root cert letsencrypt uses? If there are no other reports of similar problems then I suspect this may be the issue. I will raise the error with the developers of the tool as well.

Protege is only capable of loading RDF/XML or OWL files so unfortunately I can't test the lets encrypt.org url.

davidlehn commented 6 years ago

Perhaps someone else who knows about Java can jump in to help.

https://www.ssllabs.com/ssltest/analyze.html?d=w3id.org&latest The above test results show support for latest and greatest protocols. There is a warning about Java 6u45. Not sure what it means. Is that what you run?

Might also check if you support the root cert listed above. Or can show with something like: openssl s_client -showcerts -connect w3id.org:443

dgarijo commented 6 years ago

Hello, Indeed, it looks like a Java certificate error. The content negotiation is done correctly. For example: curl -sH "accept:application/rdf+xml" -L https://w3id.org/icity/UrbanSystem/ will return the rdf/xml representation of the vocabulary. I will investigate this further. This may be a possible solution, but I haven't tried it yet: http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html Best, Daniel

2018-07-31 11:39 GMT-07:00 David I. Lehn notifications@github.com:

Perhaps someone else who knows about Java can jump in to help.

https://www.ssllabs.com/ssltest/analyze.html?d=w3id.org&latest The above test results show support for latest and greatest protocols. There is a warning about Java 6u45. Not sure what it means. Is that what you run?

Might also check if you support the root cert listed above. Or can show with something like: openssl s_client -showcerts -connect w3id.org:443

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/perma-id/w3id.org/issues/1063#issuecomment-409325261, or mute the thread https://github.com/notifications/unsubscribe-auth/ABc0GotVgQIQ-r825567YzkOFvCaRKbTks5uMKR-gaJpZM4VotF3 .

megankatsumi commented 6 years ago

Hello, I tried adding the certificates (root and intermediate) to cacerts but am still encountering the same issue. Maybe I'm missing something... Please let me know if you have any luck with this!

Megan

davidlehn commented 6 years ago

Is there a simple test program that can reproduce this problem? Would be helpful if others could confirm what environments have this issue. Would also be useful if someone could dig in and explain exactly what the problem is. Sounds like some versions of Java just don't have the root cert that letsencrypt uses? The w3id.org access logs from last couple days have Java user agents connecting so I guess some java code works fine. If this is a widespread problem we could go back to a paid cert, but the letsencrypt system is much easier to deal with.

dgarijo commented 6 years ago

I have reproduced this with Protege (version 5.2.0). My java version is 1.8.0_181. How to reproduce the error: File -> Open from URL, enter https://w3id.org/icity/UrbanSystem/ (or any other w3id-based ontology URI) and click on OK. Then you will see the error mentioned by Megan. Best, Daniel

2018-08-01 11:21 GMT-07:00 David I. Lehn notifications@github.com:

Is there a simple test program that can reproduce this problem? Would be helpful if others could confirm what environments have this issue. Would also be useful if someone could dig in and explain exactly what the problem is. Sounds like some versions of Java just don't have the root cert that letsencrypt uses? The w3id.org access logs from last couple days have Java user agents connecting so I guess some java code works fine. If this is a widespread problem we could go back to a paid cert, but the letsencrypt system is much easier to deal with.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/perma-id/w3id.org/issues/1063#issuecomment-409673009, or mute the thread https://github.com/notifications/unsubscribe-auth/ABc0GiESH4eTcZ7pltK0j_uhxi04ag7Wks5uMfGcgaJpZM4VotF3 .

davidlehn commented 6 years ago

I don't remember Java anymore, but I tried some random https client code from the interwebs. As another data point, it worked fine getting w3id.org urls on my debian box.

$ java --version
openjdk 10.0.1 2018-04-17
OpenJDK Runtime Environment (build 10.0.1+10-Debian-4)
OpenJDK Server VM (build 10.0.1+10-Debian-4, mixed mode)

Using these packages:

ii  ca-certificates-java  20180516  all  Common CA certificates (JKS keystore)
ii  openjdk-10-jre-headless:i386  10.0.1+10-4  i386  OpenJDK Java runtime, using Hotspot JIT (headless)

And as a note, the "DST Root CA X3" string appears in the java cacerts file:

keytool -list -v -keystore /etc/ssl/certs/java/cacerts | grep "DST Root CA X3"
lsarni commented 6 years ago

I'm also having this problem. It redirects correctly to the documentation from a browser but it gives me the same error on Protege 5.2.0.

I tried it out with this URLs: https://w3id.org/ontocis/curricula https://w3id.org/ontocis/composition https://w3id.org/ontocis/courses https://w3id.org/ontocis/competences https://w3id.org/ontocis/topics https://w3id.org/ontocis/degrees https://w3id.org/ontocis/professors

This error is happening on the Open from URL option but also if I use the Direct Import option that requires a URL (in that case it doesn't open a modal window but it throws the error to the console):

Exception caught trying to get ontology id for https://w3id.org/ontocis/composition
org.semanticweb.owlapi.io.OWLOntologyCreationIOException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at uk.ac.manchester.cs.owl.owlapi.OWLOntologyFactoryImpl.loadOWLOntology(OWLOntologyFactoryImpl.java:207) ~[owlapi-osgidistribution.jar:4.2.8.20170104-2310]
        at uk.ac.manchester.cs.owl.owlapi.OWLOntologyManagerImpl.actualParse(OWLOntologyManagerImpl.java:1099) ~[owlapi-osgidistribution.jar:4.2.8.20170104-2310]
        at uk.ac.manchester.cs.owl.owlapi.OWLOntologyManagerImpl.loadOntology(OWLOntologyManagerImpl.java:1055) ~[owlapi-osgidistribution.jar:4.2.8.20170104-2310]
        at uk.ac.manchester.cs.owl.owlapi.OWLOntologyManagerImpl.loadOntologyFromOntologyDocument(OWLOntologyManagerImpl.java:998) ~[owlapi-osgidistribution.jar:4.2.8.20170104-2310]
        at org.protege.editor.owl.model.repository.extractors.LastResortExtractor.getOntologyId(LastResortExtractor.java:21) ~[protege-editor-owl.jar:na]
        at org.protege.editor.owl.model.repository.MasterOntologyIDExtractor.getOntologyId(MasterOntologyIDExtractor.java:26) [protege-editor-owl.jar:na]
        at org.protege.editor.owl.ui.ontology.imports.wizard.page.AnticipateOntologyIdPage.checkImport(AnticipateOntologyIdPage.java:109) [protege-editor-owl.jar:na]
        at org.protege.editor.owl.ui.ontology.imports.wizard.page.AnticipateOntologyIdPage.lambda$new$163(AnticipateOntologyIdPage.java:44) [protege-editor-owl.jar:na]
        at org.protege.editor.owl.ui.ontology.imports.wizard.page.AnticipateOntologyIdPage$$Lambda$119/1811746145.run(Unknown Source) [protege-editor-owl.jar:na]
        at java.lang.Thread.run(Thread.java:745) [na:1.8.0_40]
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_40]
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) ~[na:1.8.0_40]
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[na:1.8.0_40]
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[na:1.8.0_40]
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) ~[na:1.8.0_40]
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) ~[na:1.8.0_40]
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969) ~[na:1.8.0_40]
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:904) ~[na:1.8.0_40]
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) ~[na:1.8.0_40]
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) ~[na:1.8.0_40]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) ~[na:1.8.0_40]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) ~[na:1.8.0_40]
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) ~[na:1.8.0_40]
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[na:1.8.0_40]
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) ~[na:1.8.0_40]
        at org.semanticweb.owlapi.io.AbstractOWLParser.getInputStream(AbstractOWLParser.java:102) ~[owlapi-osgidistribution.jar:4.2.8.20170104-2310]
        at org.semanticweb.owlapi.io.AbstractOWLParser.getInputSource(AbstractOWLParser.java:232) ~[owlapi-osgidistribution.jar:4.2.8.20170104-2310]
        at org.semanticweb.owlapi.rdf.rdfxml.parser.RDFXMLParser.parse(RDFXMLParser.java:72) ~[owlapi-osgidistribution.jar:4.2.8.20170104-2310]
        at uk.ac.manchester.cs.owl.owlapi.OWLOntologyFactoryImpl.loadOWLOntology(OWLOntologyFactoryImpl.java:197) ~[owlapi-osgidistribution.jar:4.2.8.20170104-2310]
        ... 9 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) ~[na:1.8.0_40]
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[na:1.8.0_40]
        at sun.security.validator.Validator.validate(Validator.java:260) ~[na:1.8.0_40]
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[na:1.8.0_40]
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[na:1.8.0_40]
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[na:1.8.0_40]
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) ~[na:1.8.0_40]
        ... 23 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) ~[na:1.8.0_40]
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) ~[na:1.8.0_40]
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[na:1.8.0_40]
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ~[na:1.8.0_40]
        ... 29 common frames omitted
An error occurred whilst extracting the Ontology Id from the imported ontology: {}
java.lang.NullPointerException: null
        at org.protege.editor.owl.model.repository.MasterOntologyIDExtractor.getOntologyId(MasterOntologyIDExtractor.java:27) ~[protege-editor-owl.jar:na]
        at org.protege.editor.owl.ui.ontology.imports.wizard.page.AnticipateOntologyIdPage.checkImport(AnticipateOntologyIdPage.java:109) [protege-editor-owl.jar:na]
        at org.protege.editor.owl.ui.ontology.imports.wizard.page.AnticipateOntologyIdPage.lambda$new$163(AnticipateOntologyIdPage.java:44) [protege-editor-owl.jar:na]
        at org.protege.editor.owl.ui.ontology.imports.wizard.page.AnticipateOntologyIdPage$$Lambda$119/1811746145.run(Unknown Source) [protege-editor-owl.jar:na]
        at java.lang.Thread.run(Thread.java:745) [na:1.8.0_40]
davidlehn commented 6 years ago

Did anyone make progress on debugging what the problem is? Is it just some version of java not including certs that letsencrypt uses?

megankatsumi commented 6 years ago

I attempted to add the missing certificates as described:

This may be a possible solution, but I haven't tried it yet: http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html

but am still encountering the same error. So, it seems like there is more to it. If someone else could also give this a try to confirm that would be great.

dgarijo commented 6 years ago

I have been traveling, and will be out for the rest of the month, but I plan to have a look when I finally have the time. Best, Daniel

2018-08-14 13:42 GMT-07:00 Megan Katsumi notifications@github.com:

I attempted to add the missing certificates as described:

This may be a possible solution, but I haven't tried it yet: http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html

but am still encountering the same error. So, it seems like there is more to it. If someone else could also give this a try to confirm that would be great.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/perma-id/w3id.org/issues/1063#issuecomment-413009002, or mute the thread https://github.com/notifications/unsubscribe-auth/ABc0GqkZCbTgWooHAnibRXJ83MeNgaoYks5uQzYYgaJpZM4VotF3 .

megankatsumi commented 6 years ago

Anyone have any updates on this issue? I've tried to reach out to the Protege group as well but had no luck there.

Thanks, Megan

davidlehn commented 5 years ago

What version of java and OS are you all using? Is your software compatible with Let's Encrypt certs according to their docs? https://letsencrypt.org/docs/certificate-compatibility/

dgarijo commented 5 years ago

I have a Java 8 version 1.8.0_191 and Windows 10 pro. In theory this is compatible with their settings. I know other people with this issue on mac as well.

lsarni commented 5 years ago

I can reproduce the problem on a macOS Mojava (Version 10.14.1) and java version "1.8.0_144" Java(TM) SE Runtime Environment (build 1.8.0_144-b01) Java HotSpot(TM) 64-Bit Server VM (build 25.144-b01, mixed mode)

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Full Stack Trace
-----------------------------------------------------------------------------------------

org.semanticweb.owlapi.io.OWLOntologyCreationIOException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at uk.ac.manchester.cs.owl.owlapi.OWLOntologyFactoryImpl.loadOWLOntology(OWLOntologyFactoryImpl.java:207)
    at uk.ac.manchester.cs.owl.owlapi.OWLOntologyManagerImpl.actualParse(OWLOntologyManagerImpl.java:1099)
    at uk.ac.manchester.cs.owl.owlapi.OWLOntologyManagerImpl.loadOntology(OWLOntologyManagerImpl.java:1055)
    at uk.ac.manchester.cs.owl.owlapi.OWLOntologyManagerImpl.loadOntologyFromOntologyDocument(OWLOntologyManagerImpl.java:1011)
    at org.protege.editor.owl.model.io.OntologyLoader.loadOntologyInternal(OntologyLoader.java:101)
    at org.protege.editor.owl.model.io.OntologyLoader.lambda$loadOntologyInOtherThread$210(OntologyLoader.java:60)
    at org.protege.editor.owl.model.io.OntologyLoader$$Lambda$105/2102958283.call(Unknown Source)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:904)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
    at org.semanticweb.owlapi.io.AbstractOWLParser.getInputStream(AbstractOWLParser.java:102)
    at org.semanticweb.owlapi.io.AbstractOWLParser.getInputSource(AbstractOWLParser.java:232)
    at org.semanticweb.owlapi.rdf.rdfxml.parser.RDFXMLParser.parse(RDFXMLParser.java:72)
    at uk.ac.manchester.cs.owl.owlapi.OWLOntologyFactoryImpl.loadOWLOntology(OWLOntologyFactoryImpl.java:197)
    ... 10 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
    ... 24 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
    ... 30 more
GatorScott commented 5 years ago

In my environment, the network infrastructure is performing SSL decryption which terminates the initial TLS connection, performs some inspection of the metadata, then starts a new TLS connection that is signed with our internal gateway certificate. This is an apparently common practice.

I added that gateway certificate to cacerts using the Java keytool to eliminate the problem.

Your IT staff should be able to give you the certificate you'll need (base-64 encoded).

The keytool command looks like this:

keytool -import -alias SSLGateway -keystore C:\Users\scott\Downloads\Software\Protege-5.5.0-beta-8\jre\lib\security\cacerts -file C:\Users\scott\Documents\SSL_Gateway.cer

iesnaola commented 3 years ago

Hello everybody,

I know this is quite an 'old' post, but I am having the same situation that @megankatsumi had with her ontology. Is there any update in this regard?

Some of the ontologies that Protege cannot open:

Thanks in advance

davidlehn commented 3 years ago

@iesnaola: No update from me, but I don't use that tool. It seemed like a java or cert problem. If anyone has a solution, please speak up. If it's something we can easily tweak on the server side, we can look into that.

dgarijo commented 3 years ago

I was able to load https://w3id.org/affectedBy in Protege 5.5.0 no problem. I haven't paid much attention to this issue because I think they fixed it on their end. Maybe we should just close this issue and recommend updating the version of Protege.