Wednesday, September 22, 2010

Path does not chain with any of the trust anchors

Does your favourite Java application trhow an exception as shown below? And you can not find out why? PKIX path validation failed: Path does not chain with any of the trust anchors

To start out download and use the InstallCert application – it helps troubleshooting. You can also use the SSLPoke application from Atlassian. When you troubleshoot make sure you run the tools something like this:

java.exe SSLPoke 443 > debug.log 2>debug.err

This way all the output (and it can be lots of it) are stored in files you can read from your favourite notepad.

As I think there are two causes of this exception.

  1. The root certificate is not trusted in the Java keystore.
  2. The intermediate certificates needed are not present or wrong. All certificates in the path should be sent from the web server to the client.

LockVerify the root certificate

This is easy. Find out who issued the certificate. this is easily done using Internet Explorer, Firefox or Chrome. Open the encrypted page in the web browser and click the locked lock button. Find the certification path. Here you can see all certificates in the path and the root certificate.


To check the root certificate you will need to find out what keystore you will use. Run one of the above programs and look for the line starting with Loading Keystore… There is your file, it is named either cacerts or jssecacerts. Then run keytool to list all certificates.

keytool -list -v -keystore <path/name here> > rootca.txt

Open the rootca.txt and browse to find your root certificate. Browse through and see if you find it there. Remember to check both name, issued date and certificate serial number to be sure.

Wrong certificate chain sent from the web server

As long as you have the right root certificate the web client (in this case Java) can validate the complete certificate chain as long as it is sent from the server. All certificates in the chain must be sent from the server. Given my certificate above, the web server has to send two certificates. One for the GoDaddy Secure Authority and one for my certificate. Use InstallCert as described above to see what certificates are sent from the server to the client. And then make sure that you get all the certificates you want.

If all fails

Contact me and I will see if I can do anything.

Labels: ,


At 08:55, Anonymous Anonymous said...

I've got better solution. I've found java service that can be run and do everything for us.



At 06:36, Anonymous Anonymous said...

Is it okay if I give you all my files so you can check? I can't still debug what's the problem.
Thanks and regards,


Post a Comment

Links to this post:

Create a Link

<< Home