What does the error "PKIX path building failed" or "unable to find valid certification path to requested target" mean?

Question

While attempting to communicate over a secure connection, the following error is returned:

javax.xml.ws.WebServiceException: java.io.IOException: Got sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target while opening stream from https://secure.domain.com/endpoint?wsdl

Answer 1

When the server's certificate (HIE) is not trusted the qieLauncher.log will show the following error.

 

SEND TLSv1 ALERT:  fatal, description = certificate_unknown

 

Notes:

 

1. The name of the certificate will appear several lines above this one

 

2. You need to have the following option enabled.

-Djavax.net.debug=ssl,handshake

 

3. Remember to turn off the sslhandshake when done or the log file will get really big.

-Djavax.net.debug.OFF=ssl,handshake

 

In order to fix this, you will need to add the server's certificate to your trust store.  In other words, the certificate is unknown because it is not trusted, but once it is trusted then it will be used. Please refer to the SSL Certificate Guide for instructions on adding the certificate to the trust store.