• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Exception PKIX path building failed WITH trusted and installed certificate

 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all,

I am trying to call out to a FedEx web tracking web service (link: https://ws.fedex.com:443/web-services/track) from my application but my log returns the following exception:



If I navigate to the site via my browser the certificate shows as trusted. I double-checked my cacerts file in Java and the certificate is listed there as well. What's strange is that I can do this call on an almost identical Mac OSX server and the call works just fine. All Java settings on both machines (both working and non-working) match completely along with all certificates installed in the cacerts file.

Any ideas?
 
Ranch Hand
Posts: 426
Eclipse IDE Fedora Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The OS browser and JVM truststores are not the same file. You need to import the proper certificates into your JVM truststore.

http://docs.oracle.com/cd/E19509-01/820-3503/ggfgo/index.html

Check that your root CA in your Java truststore has not expired.

Note that your keystore and truststore files are absolutely not the same, and your Java code and JRE configuration should never point to the same file for each. Keystores have different purposes than truststores. Rookie developers sometimes try to cheat the configuration by pointing their JRE config to the same file.
 
che paskat
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
How can I check to see that my root CA in my Java truststore has not expired?

I know how to access and list all installed certificates in my keystore via the keytool -list -v -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_51.jdk/Contents/Home/jre/lib/security/cacerts command but I'm not sure how to do this so I can list the certs for my truststore?

Thanks!
 
Roger Sterling
Ranch Hand
Posts: 426
Eclipse IDE Fedora Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

che paskat wrote:How can I check to see that my root CA in my Java truststore has not expired?

I know how to access and list all installed certificates in my keystore via the keytool -list -v -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_51.jdk/Contents/Home/jre/lib/security/cacerts command but I'm not sure how to do this so I can list the certs for my truststore?

Thanks!



Note that cacerts.jks is your truststore and identifies what web sites you trust. keystore.jks is your keystore and identifies your site to all others.

Your command above is using the -keystore flag on cacerts which is incorrect.

Normally, you will have three or more certs that must be imported to your truststore for each site you want to access. You need the root cert, one or more mid-level certs, and the leaf-level ceret from FedEx. If your only importing the FedEx cert, then you likely may be missing the mid or root level certs or they are expired.

If keytool is not meeting your needs, you might like to try ikeyman. Free download.


Have you set the password in your JRE so your JRE can access the truststore ?
 
che paskat
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator


Roger Sterling wrote:Note that cacerts.jks is your truststore and identifies what web sites you trust. keystore.jks is your keystore and identifies your site to all others.

Your command above is using the -keystore flag on cacerts which is incorrect.

Normally, you will have three or more certs that must be imported to your truststore for each site you want to access. You need the root cert, one or more mid-level certs, and the leaf-level ceret from FedEx. If your only importing the FedEx cert, then you likely may be missing the mid or root level certs or they are expired.

If keytool is not meeting your needs, you might like to try ikeyman. Free download.


Have you set the password in your JRE so your JRE can access the truststore ?



I'm still not sure of how I am supposed to access my truststore so I can see what certificates I do in fact have installed?
I haven't set a password so I imagine it's set to a default password.

Secondly. how can I find which certs need to be installed in the truststore? All I've been doing is pulling from the website via browser as I had previously described.

Lastly; I have an identical server with which this web service for FedEx works, is there a way I could copy the truststore from the machine and install on the non-working machine?
 
Roger Sterling
Ranch Hand
Posts: 426
Eclipse IDE Fedora Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
1. I'm referring to the password you have set inside the JRE . Have you set it ? If not, your JRE is unable to access the truststore.
2. You need to look at the cert's authority and make sure you have the complete chain in your truststore. Root -> Mid -> Leaf.
3. Yes, you can copy truststore files between systems, if different OS, pay attention to binary flag on your ftp session.
 
che paskat
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
How would I go about copying an existing truststore file over to another server? I couldn't seem to find any literature on this. Also, how can I list the existing certificates in the truststore, you mentioned I was using the wrong command so which exactly would be the correct one?
 
You showed up just in time for the waffles! And this tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic