Path does not chain with any of the trust anchors
Does your favourite Java application trhow an exception as shown below? And you can not find out why?
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
To start out download and use the InstallCert application – it helps troubleshooting. You can also use the SSLPoke application from Atlassian. When you troubleshoot make sure you run the tools something like this:
java.exe -Djavax.net.debug=ssl SSLPoke lutvann.helge.net 443 > debug.log 2>debug.err
This way all the output (and it can be lots of it) are stored in files you can read from your favourite notepad.
As I think there are two causes of this exception.
- The root certificate is not trusted in the Java keystore.
- The intermediate certificates needed are not present or wrong. All certificates in the path should be sent from the web server to the client.
Verify the root certificate
This is easy. Find out who issued the certificate. this is easily done using Internet Explorer, Firefox or Chrome. Open the encrypted page in the web browser and click the locked lock button. Find the certification path. Here you can see all certificates in the path and the root certificate.
To check the root certificate you will need to find out what keystore you will use. Run one of the above programs and look for the line starting with Loading Keystore… There is your file, it is named either cacerts or jssecacerts. Then run keytool to list all certificates.
keytool -list -v -keystore <path/name here> > rootca.txt
Open the rootca.txt and browse to find your root certificate. Browse through and see if you find it there. Remember to check both name, issued date and certificate serial number to be sure.
Wrong certificate chain sent from the web server
As long as you have the right root certificate the web client (in this case Java) can validate the complete certificate chain as long as it is sent from the server. All certificates in the chain must be sent from the server. Given my certificate above, the web server has to send two certificates. One for the GoDaddy Secure Authority and one for my certificate. Use InstallCert as described above to see what certificates are sent from the server to the client. And then make sure that you get all the certificates you want.
If all fails
Contact me and I will see if I can do anything.