SunCertPathBuilderException when sending Peppol Message

[Florianisme]

I am getting the following exception when trying to send a Peppol Message to another Access Point:

2020-11-05 15:04:43.311 WARN 4672 --- [nio-8081-exec-1] c.h.p.utils.PeppolCertificateChecker : Certificate is revoked sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[na:na] at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[na:na] at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) ~[na:na] at com.helger.peppol.utils.PeppolCertificateChecker.isCertificateRevoked(PeppolCertificateChecker.java:308) ~[peppol-commons-8.1.1.jar:8.1.1] at com.helger.peppol.utils.PeppolCertificateChecker._checkCertificate(PeppolCertificateChecker.java:428) ~[peppol-commons-8.1.1.jar:8.1.1] at com.helger.peppol.utils.PeppolCertificateChecker.checkPeppolAPCertificate(PeppolCertificateChecker.java:459) ~[peppol-commons-8.1.1.jar:8.1.1] at com.helger.phase4.peppol.Phase4PeppolSender._checkReceiverAPCert(Phase4PeppolSender.java:176) ~[phase4-peppol-client-0.10.0.jar:0.10.0] at com.helger.phase4.peppol.Phase4PeppolSender.access$100(Phase4PeppolSender.java:76) ~[phase4-peppol-client-0.10.0.jar:0.10.0] at com.helger.phase4.peppol.Phase4PeppolSender$AbstractPeppolUserMessageBuilder.finishFields(Phase4PeppolSender.java:479) ~[phase4-peppol-client-0.10.0.jar:0.10.0] at com.helger.phase4.peppol.Phase4PeppolSender$Builder.finishFields(Phase4PeppolSender.java:733) ~[phase4-peppol-client-0.10.0.jar:0.10.0] at com.helger.phase4.sender.AbstractAS4UserMessageBuilderMIMEPayload.sendMessage(AbstractAS4UserMessageBuilderMIMEPayload.java:131) ~[phase4-lib-0.10.0.jar:0.10.0] at de.itelligence.peppol.ap.outbound.OutboundMessageService.sendPeppolMessage(OutboundMessageService.java:57) ~[classes/:na] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:na] at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na] at java.base/java.lang.reflect.Method.invoke(Method.java:566) ~[na:na]

The SMP under which the other AP is registered has the correct Certificate setup in the Endpoint. But the peppol-client still says the other Certificate has been revoked. It is a completely new Production Certificate.

Surely there is some misconfiguration on my side. Are there any traps I could have ran into or something I did not notice?

[phax]

Hi Florian, you need to provide the "Truststore" of Peppol to the phase4 client. Assuming you are using the configuration via the file crypto.properties that the following lines are present:

org.apache.wss4j.crypto.merlin.truststore.type=JKS
org.apache.wss4j.crypto.merlin.truststore.file=truststore/complete-truststore.jks
org.apache.wss4j.crypto.merlin.truststore.password=peppol

The file truststore/complete-truststore.jks is inside the JARs and contains all the Peppol certificates. hth

[Florianisme]

Hi Philip, thanks for your help! I already do that, these are all my certificates from my truststore:

[Florianisme]

Hold on, I think I just foud the mistake

[phax]

So so so???

[Florianisme]

Ill need to check, will update you later :)

[Florianisme]

The mistake was that I completely forgot to add the truststore. I thought adding all of Peppol's certificates to the keystore was enough.. :) Thanks for your quick help!

[phax]

Ah super. Glad you solved it :)