By: Max Anderson Account Admin 14 Sep 2017 at 5:13 p.m. CDT

8 Responses

I had this working in 3.0.1 but I'm trying to move to 3.1.0. I'm having issues and it seems like a self signed cert issue, but I imported the cert(the right one I believe) like I did in the 3.0.1 version and I'm getting this PKIX error. org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://mydomain/oxauth/authorize": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target I'm assuming I have the wrong cert imported but I did the same steps as I've done before. This is what is coming from the web response: ``` Thu Sep 14 16:55:16 CDT 2017 There was an unexpected error (type=Internal Server Error, status=500). I/O error on POST request for "https://mydomain/oxauth/authorize": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ```

Ubuntu 16.04

closed

By Aliaksandr Samuseu staff 14 Sep 2017 at 5:45 p.m. CDT

Copy

Hi, Max. >org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://mydomain/oxauth/authorize": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target You also need to put your self-signed certificate into file under `/etc/certs/`, and specify path to it in corresponding script's property. Have you done it as well? Please also check `oxauth_script.log` for any clues.

By Michael Schwartz Account Admin 15 Sep 2017 at 12:03 p.m. CDT

Copy

Yura, can you take a quick look at this issue?

By Michael Schwartz Account Admin 15 Sep 2017 at 12:04 p.m. CDT

Copy

Max, can you show a screenshot of the cert imported to your cacerts keystore?

By Max Anderson Account Admin 15 Sep 2017 at 1:42 p.m. CDT

Copy

``` ******************************************* Alias name: sso001.<ourdomain>.com Creation date: Sep 14, 2017 Entry type: trustedCertEntry Owner: CN=Max Anderson, OU=<ourdomain>, O=DM, L=Eden Prairie, ST=MN, C=US Issuer: CN=Max Anderson, OU=<ourdomain>, O=DM, L=Eden Prairie, ST=MN, C=US Serial number: 69f20aec Valid from: Tue Jun 06 15:55:15 CDT 2017 until: Fri Jun 04 15:55:15 CDT 2027 Certificate fingerprints: MD5: 1E:8A:4F:C6:F2:81:56:5E:BA:26:47:E1:1C:2C:F1:97 SHA1: 63:CD:69:9A:17:FA:C4:7B:8D:4E:13:D5:15:C6:6D:1D:94:4A:1D:6E SHA256: D5:F2:1F:B0:3E:5B:5A:2C:56:42:5A:09:50:1E:62:39:5F:5E:2A:5E:09:3B:C7:CE:4E:F4:74:41:68:75:2B:C3 Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 7E 97 1B D9 7C 7A 71 14 FF F6 06 AE 7D C5 76 DD .....zq.......v. 0010: E2 6B 05 64 .k.d ] ] ******************************************* ```

By Max Anderson Account Admin 15 Sep 2017 at 1:43 p.m. CDT

Copy

I also added my local p12(exported the crt file) key to the /etc/certs directory in gluu.

By Yuriy Movchan staff 18 Sep 2017 at 8:34 a.m. CDT

Copy

Hi Max , All Gluu services listens on localhost and uses apache2 as proxy. Apache2 is listening on external IP. Hence we need to change httpd cert first. Can you check `/etc/apache2/sites-available/https_gluu.ssl.conf`. These 2 lines should point to your SSL cert: ``` SSLCertificateFile /etc/certs/httpd.crt SSLCertificateKeyFile /etc/certs/httpd.key ``` After editing these lines restart apache2 service, please. Also please make sure that you client uses same certs too. Regards, Yuriy

By Max Anderson Account Admin 20 Sep 2017 at 10:57 a.m. CDT

Copy

Thanks for that info Yuriy. That got me to the next issue, that wasn't happening before. I'm no longer getting the PKIX error, but now I'm getting stuck on a somewhat blank page. ``` https://mydomain/oxauth/login?response_type=code&client_id=@!91C9.0534.D806.A1BB!0001!CD22.9B15!0008!85FE.875A.051F.4445&scope=profile%20email&state=IJ8z3V&redirect_uri=https://localhost:8443/login ``` Seems like a config issue on my end but not sure what I'm missing here.

By Michael Schwartz Account Admin 25 Sep 2017 at 11:51 a.m. CDT

Copy

PKIX issue was resolved.

You need to Login in order to post an answer

PKIX error when trying to authenticate

By: Max Anderson Account Admin 14 Sep 2017 at 5:13 p.m. CDT

Answers

By Aliaksandr Samuseu staff 14 Sep 2017 at 5:45 p.m. CDT

By Michael Schwartz Account Admin 15 Sep 2017 at 12:03 p.m. CDT

By Michael Schwartz Account Admin 15 Sep 2017 at 12:04 p.m. CDT

By Max Anderson Account Admin 15 Sep 2017 at 1:42 p.m. CDT

By Max Anderson Account Admin 15 Sep 2017 at 1:43 p.m. CDT

By Yuriy Movchan staff 18 Sep 2017 at 8:34 a.m. CDT

By Max Anderson Account Admin 20 Sep 2017 at 10:57 a.m. CDT

By Michael Schwartz Account Admin 25 Sep 2017 at 11:51 a.m. CDT

Post an answer