How to fix your "PKIX path building failed" error

Let's see how you can fix your "PKIX path building failed" error. This error occurs when you try to connect via HTTPS between two applications via a self-signed certificate.

The error will look something like this:

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.
ValidatorException: PKIX path building failed: sun.security.provider.certpath.
SunCertPathBuilderException: unable to find valid certification path to requested target
In case you did not know. The acronym PKIX stands for Public Infrastructure X509.

Issue description

A Successful connection between two SSL-based connections is only possible if the certificates are valid and trusted. Luckily, there is nothing to worry about if you are facing the issue. It is a well-known error message reported by the Java Virtual Machine. This error message is displayed when the Java environment does not have the information about the HTTPS server to verify that it is a trusted website.

The following are the common causes:

  • The most common reason for this error is the certificate provided by an internal Root CA or is a self-signed certificate. Therefore, it can confuse the Java Virtual Machine as it is not on the Java "Trusted" list.
  • A system firewall can also cause the issue. The firewall restricts the application's connection to external systems that are unsecured. A valid certificate is required to access external systems.

Solution

You need to download and install the required certificates to fix your "PKIX path building failed" error.

Step 1 - Download the certificate

You can download the certificate using the following steps:

  1. Look for a URL in the error message and paste it to a browser.
  2. Now check if the URL you are visiting is secure. You can do this by looking for a lock icon on the left of the URL.
  3. Once you select the certificate, save the certificate to a file. You can choose DER encoded binary as the file format for the certificate.

At this point, you have not downloaded the certificate. The next step is to install the certificates in your system's cacerts trust store. The cacerts is a trust store is used to authenticate peers.

Step 2 – Install the certificate.

You will need to use the keytool command to install your certificate.

See the command below:

keytool -importcert -trustcacerts -alias <alias name of the certificate> -file <path were we have saved the certificate> -Keystore “<path for the cacerts file>” -storepass changeit

The details will be according to your computer. In our case, the command will be:

keytool -importcert -trustcacerts -alias repo -file C:\temp\repo.cer -Keystore “C:\Program Files\Java\jdk1.8.0_131\jre\lib\security\carcets” -storepass changeit

Note:

  1. We are using jdk1.8.0_131; as a result, the cacerts file path for our system is "C:\Program Files\Java\jdk1.8.0_131\jre\lib\security\carcets". This path can be different for you, depending on your system and the JDK version.
  2. We have named our certificate repo, and the path where we save our certificate is C:\temp\repo.cer.

Wrapping up

After this detailed guide, we hope you have a clearer picture and better understanding of why this PKIX path-building error occurs and what steps to take to solve it. 

You may also be interested in



About the Authors

Anto's editorial team loves the cloud as much as you! Each member of Anto's editorial team is a Cloud expert in their own right. Anto Online takes great pride in helping fellow Cloud enthusiasts. Let us know if you have an excellent idea for the next topic! Contact Anto Online if you want to contribute.

Support the Cause

Support Anto Online and buy us a coffee. Anything is possible with coffee and code.

Buy me a coffee



Leave a Reply

Your email address will not be published. Required fields are marked *