How to resolve “unable to find valid certification path to requested target” error?

Guy Cohen
2020-01-13 17:00

Subject

Issue with establishing a trusted connection over SSL from Artifactory to a remote site.

Detail

You may run into the following error message during replication and other tasks that require connecting to a remote server:

[ERROR] (o.a.a.r.c.BaseReplicationProducer:97) – Error occurred while performing folder replication for 'XXXX': sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: sun.security.validator.ValidatorException:

The error message indicates that Artifactory could not establish a trusted connection over SSL (you may see this issue if you are using Self-Signed certificate or a certificate that is issued by an internal Certificate Authority or if your clients (e.g. browser, java) are outdated). The trust is handled by having root and intermediate (may not be required if using the default JVM security setting) certificates of your SSL certificate on a trusted keystore. 
 

Resolution

 

NOTE: For Artifactory High Availability, perform the following steps at all of the HA nodes,

<GET ROOT CERTIFICATE>

1. Get remote site's root and intermediate certificates by running openssl s_client -showcerts -connect <REMOTE_URL>:<REMOTE_PORT> . Note that you may not need the intermediate certificate trusted based on JVM's security (default setting does not require it).

For example, openssl s_client -showcerts -connect google.com:443

 

2. Save each certificate as a file

For example, 

 s:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=Entitlement Master CA/emailAddress=ca-support@redhat.com

 i:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=Entitlement Master CA/emailAddress=ca-support@redhat.com
 

The example above indicates that the issuer (i:) is the same as the subject (s:), which indicates that it is the root certificate.

Save the hash of the certificate (include —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– ) and save it as root.crt .

<TRUST THE CERTIFICATE>

For JFrog Platform with Artifactory 7.x or Mission Control 4.x, use this instruction:

https://www.jfrog.com/confluence/display/JFROG/Managing+TLS+Certificates

For Artifactory 6.x or Mission Control 3.x, use this instruction 

1. Identify which JVM that Artifactory runs on

2. Import root and intermediate certificates to the trusted root certificate of the JAVA found above (usually called "cacerts") by using keytool import command. For more information, please visit https://docs.oracle.com/cd/E19830-01/819-4712/ablqw/index.html

For example,

sudo keytool -importcert -keystore /usr/local/java/jdk1.8.0_60/jre/lib/security/cacerts -storepass changeit -file ~/Downloads/RHEL-cert/root.crt -alias "rhel-root"

<VERIFY>

Verify the change at Admin => Repositories => your remote repository => Test => If it still fails then you may need to restart Artifactory for the change to take effect