PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Issue
The following error message appears in the Unified Agent logs and the scan finishes with exit code SERVER_FAILURE (-5):
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Cause
This is a common error message reported by the Java Virtual Machine. This occurs when the Java environment does not have a proper CA certificate path to the HTTPS server to verify that it is a valid website. This is a Java-specific error and is not reported by other technologies.
Solution
Downloading the certificate
First you will need to retrieve the certificate. To do that follow these steps:
Open an HTTPS connection to the relevant URL (i.e https://www.example.com/, https://saas.whitesourcesoftware.com/ in the browser
Press F12 to access the browser’s Developer Tools
Go to the ‘Security’ tab
Click ‘View certificate’
In the Certificate details window, go to the ‘Details’ tab
Click ‘Export’
Make sure the file format is: ‘Base64-encoded ASCII, single certificate (*.pem, *.crt)’
Name the file: Windows: ‘whitesourcesoftware.com.crt’ (Mac OS: ‘whitesourcesoftware.com.cer’)
Adding the certificate to your keystore
Note:
The location of JAVA and or the JDK can vary depending on your initial install location. If you have JDK installed, your JAVA_HOME variable is set to the jdk* directory, and not the jre*. Please use the same Java version that is accessed when you run the “java” command.
Once the certificate file has been created, open a command-line window.
Navigate to your Java installation directory. Make sure that this is the same version of Java that is being accessed when running the “java” command otherwise the certificate will not be recognized. Once there, then navigate to lib → security under this directory.Make sure that the cacerts keystore is in this directory.
Execute the following command to import the certificate into the cacerts keystore:
For Windows:CODEkeytool -import -noprompt -trustcacerts -alias http://www.example.com -file "C:\Path\to\www.example.com.crt" -keystore cacerts
For Mac OS:
CODEkeytool -import -noprompt -trustcacerts -alias http://www.example.com -file "~/path/to/www.example.com.cer" -keystore cacerts
Note:
You will be prompted to provide the cacerts keystore password, The default password for cacerts is 'changeit'.
Note:
If the system cannot find the keytool command, then you may need to use a JDK version, and you have the JDK binary path added to your PATH environment variable.
Additional Troubleshooting
If following the steps above does not resolve the issue, you may need to tell Java to use the keystore location that you imported the certificate into. To do this, add the following flag when running the Unified Agent:
-Djavax.net.ssl.trustStore=C:\<path\to\store>
So the full command would look something like this:
java -Djavax.net.ssl.trustStore=C:\<path\to\store> -jar ~/wss-unified-agent.jar -c wss.config ...