Platform-client-sdk-java: unable to find valid certification path

James_Li · April 9, 2024, 5:41pm

I was trying to run sample code of "Client Credentials OAuth flow" at "GitHub - MyPureCloud/platform-client-sdk-java: Java platform client SDK". I do have valid OAuth client ID and secret when executing "ApiResponse authResponse = apiClient.authorizeClientCredentials(clientId, clientSecret)".

However, no matter where I located my cacerts path in eclilpse.ini (with -vmargs arguments) or in eclipse "Debug Configuration > Arguments tab > VM arguments", it always throws "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" error.

Do I need Genesys Cloud sort of trusted CA and import to my cacerts to pass com.mypurecloud.sdk.v2.ApiClient?

John_Carnell · April 9, 2024, 5:54pm

Hi James,

It has been awhile since I have to deal with Cert issues, but usually, the error you are getting is related to the fact that the cert you are trying to access is not available in your local CA Store. Since this is often particular to the user's machine I suggest you take a look at this article to see if this helps you resolve the issue.

Thanks,
John Carnell
Director, Developer Engagement

James_Li · April 9, 2024, 6:22pm

John, following the article saying "If you can access the HTTPS URL in your browser then it is possible to update Java to recognize the root CA", I was trying to access https://api.usw2.pure.cloud/ but it returns "HTTP 404 Not Found" error code. I was unable to find the server's primary root CA via HTTPS certificate chain.

John_Carnell · April 9, 2024, 6:35pm

Hi James,

If you click the link to the left of the URL (assuming you ar using Chrome) you should be able to see if the CERT is good. The 404 is being returned by the endpoint but the certificate on the endpoint is there.

Thanks,
John

James_Li · April 9, 2024, 9:44pm

John, I imported api.usw2.pure.cloud root cert to my cacerts but I still get the same error. SSL handshake trace shows as follows:

adding as trusted cert:
Subject: CN=usw2.pure.cloud
Issuer: CN=SSL-SG1-GLOBAL, OU=Operations, O=Cloud Services, C=US
Algorithm: RSA; Serial number: 0x4243534eb383b501c8cd2835000000002f86c880
Valid from Fri Aug 18 18:00:00 MDT 2023 until Sun Sep 15 17:59:59 MDT 2024

......

*** ClientHello, TLSv1.2
RandomCookie: GMT: 1712632706 bytes = { 214, 27, 174, 200, 151, 112, 106, 61, 104, 174, 184, 104, 155, 198, 45, 71, 93, 245, 133, 37, 178, 33, 129, 42, 222, 107, 44, 200 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
Extension server_name, server_name: [type=host_name (0), value=login.usw2.pure.cloud]

.......

*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=usw2.pure.cloud
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key: Sun RSA public key, 2048 bits
modulus: 25504895182933834258799120051813693651091688562298423379857679506847161098736411212633289907657246081177936152823111847034522644765736871328850702204560016918022483471989941823851944662095027762669735664407663038978603212203225280526778814036256508899424139064398212123521099593539195052740455221328939684322839551009452155770181888465396882769852035950583041535662334291397089207505475287205623893449661539670551080154922622406863762794456901514794075829469921229362237959528565881856872764662899156987121333272702186329190613370331380301810210579464815002916755509135066262219227293325182052720083076619695028273713
public exponent: 65537
Validity: [From: Fri Aug 18 18:00:00 MDT 2023,
To: Sun Sep 15 17:59:59 MDT 2024]
Issuer: CN=SSL-SG1-GLOBAL, OU=Operations, O=Cloud Services, C=US
SerialNumber: [ 4243534e ee951fd8 17734fee 00000000 4b905675]

.......

%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
main, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
main, WRITE: TLSv1.2 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

James_Li · April 11, 2024, 5:54pm

John, I exported the server cert to "PKCS #7" format and it works this time.

John_Carnell · April 11, 2024, 6:26pm

Hi James,

I am glad you sorted it out. Cert-related issues can be extremely opaque to debug. Whenever I run into cert related problems, I always feel like C3P0 in the original star wars movie:

John

system · May 12, 2024, 6:26pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.