How to resolve “unable to find valid certification path to requested target” error?

Guy Cohen
2019-03-24 08:56

Subject

Issue with establishing a trusted connection over SSL in Artifactory

You may run into the following error message during replication and other tasks:

[ERROR] (o.a.a.r.c.BaseReplicationProducer:97) – Error occurred while performing folder replication for 'XXXX': sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: sun.security.validator.ValidatorException:

 

Cause

The error message indicates that Artifactory could not establish a trusted connection over SSL (you may see this issue if you are using Self-Signed certificate or a certificate that is issued by an internal Certificate Authority or if your clients (e.g. browser, java) are outdated). The trust is handled by having root and intermediate certificates of your SSL certificate on a trusted keystore. 

 

Resolution

The trusted keystore in JAVA is usually at $JAVA_HOME/lib/security/cacerts and the default password of "cacerts" keystore is "changeit". You can import your root and intermediate certificates by using steps below (For JAVA, you may also upgrade your JDK to resolve this issue as it comes with newer certificates):

1. Get the remote site's root and intermediate certificates by running openssl s_client -showcerts -connect <REMOTE_URL:PORT>

For example, openssl s_client -showcerts -connect cdn.redhat.com:443

2. Save each certificate as a file. For example, 

 s:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=Entitlement Master CA/emailAddress=ca-support@redhat.com

 i:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=Entitlement Master CA/emailAddress=ca-support@redhat.com

 

The example above indicates that the issuer (i:) is the same as the subject (s:), which indicates that it is the root certificate

Save the hash of the certificate (include —-BEGIN CERTIFICATE—– and —–END CERTIFICATE—– ) and save it as root.crt .
 

3. Identify which JVM that Artifactory runs 

4. Import root and intermediate certificates to the trusted root certificate of the JAVA (usually called "cacerts") by using keytool import command. For more information, please visit https://docs.oracle.com/cd/E19830-01/819-4712/ablqw/index.html

For example,

sudo keytool -importcert -keystore /usr/local/java/jdk1.8.0_60/jre/lib/security/cacerts -storepass changeit -file ~/Downloads/RHEL-cert/root.crt -alias "rhel-root"

5. Restart Artifactory

Also, this error can be seen if a certificate is loaded in an Apache/Nginx Proxy. Please review your Apache/Nginx Proxy setting and setup the trust.