ARTIFACTORY: How to Resolve an “unable to find valid certification path to requested target” Error

Guy Cohen
2023-01-22 11:09

You may encounter an issue when trying to establish a trusted SSL connection from Artifactory.

During replication and other tasks that need to connect to a remote server, you might see the following error message:
 

[ERROR] (o.a.a.r.c.BaseReplicationProducer:97) – Error occurred while performing folder replication for 'XXXX': sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: sun.security.validator.ValidatorException:

This indicates that Artifactory was unable to establish a trusted SSL connection over SSL. This issue might arise if you are using a self-signed certificate or a certificate that’s been issued by an internal certificate authority, or if your clients (e.g., browser, Java) are outdated.

Trust is handled by having the root and intermediate certificates of your SSL certificate on a trusted keystore. With that said, this may not be required if you're using the default JVM security setting.

Resolution:
First, get your root certificate. Then, perform the following steps (being mindful that if you're working in an HA environment, you'll need to apply these steps to all of your nodes):

  1. Get the remote site’s root and intermediate certificates by running openssl s_client -showcerts -connect <REMOTE_URL>:<REMOTE_PORT>. Note: This may not be required if you are using the default JVM security setting.

For example:

openssl s_client -showcerts -connect google.com:443
  1. Save each certificate as a file. For example:
 s:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=Entitlement Master CA/emailAddress=ca-support@redhat.com
 i:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=Entitlement Master CA/emailAddress=ca-support@redhat.com

This indicates that the issuer (i:) is the same as the subject (s:).
Therefore, this is the root certificate. Save the hash of the certificate, being sure to include:

—–BEGIN CERTIFICATE—– and the —–END CERTIFICATE—–

as the root.crt.

For a new certificate to be trusted, you'll need to add it to your application's keystore or to the keys directory of every service that needs to trust it. To establish a certificate's trust for the JFrog Platform with Artifactory 7.x or Mission Control 4.x, follow the instructions detailed HERE. For Artifactory 6.x or Mission Control 3.x, use these instructions: 

  1. Identify which JVM platform Artifactory is running on.
  2. Import the root and intermediate certificates to the trusted root certificate of the Java platform you've identified in Step #1 above (usually called cacerts) by using the keytool import command. More information is available HERE.

For example:

sudo keytool -importcert -keystore /usr/local/java/jdk1.8.0_60/jre/lib/security/cacerts -storepass changeit -file ~/Downloads/RHEL-cert/root.crt -alias "rhel-root"

Verify your changes at Admin => Repositories => your remote repository => Test =>.
If you are still encountering a connection failure, you may need to restart Artifactory for your changes to take effect.

Published: Jan. 13, 2020
Last updated: Dec. 21, 2020

Keywords: Certificate, Artifactory, SSL