Fix lỗi Unable to Connect to SSL Services due to PKIX Path Building Failed

Fix lỗi Unable to Connect to SSL Services due to PKIX Path Building Failed

Gửi mail hay đọc mail inbox Java thường sẽ gặp lỗi Unable to Connect to SSL Services due to PKIX Path Building Failed

Dưới đây là cách khắc phục :D

Problem - tại sao bị thế!
Attempting to access applications that are encrypted with SSL (for example HTTPS, LDAPS, IMAPS) throws an exception and the connection is refused. This can happen when attempting to establish a secure connection to any of the following:
  • Active Directory server
  • Mail server 
  • Another Atlassian application using Application Links
For example, the following error appears in the UI when Using the JIRA Issues Macro:
1
Error rendering macro: java.io.IOException: Could not download: https://siteURL/jira/secure/IssueNavigator.jspa?view=rss&&type=12&type=4&type=3&pid=10081&resolution=1&fixfor=10348&sorter/field=issuekey&sorter/order=DESC&sorter/field=priority&sorter/order=DESC&tempMax=100&reset=true&decorator=none
While the following appears in the logs:
1
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)

========= Solve - giải quyết làm theo từng bước nhé ========

Chi tiết cách dễ nhất:

Obtain and Import the Server's Public Certificate

  1. Download and install the Portecle 
  2. Ensure the <JAVA_HOME> variable is pointing to the same version of Java that your application uses. See our Setting JAVA_HOME docs for further information on this.
    (info) If running on a Linux/UNIX server, X11 will need to be forwarded when connecting to the server (so you can use the GUI), as below:
    1
    ssh -X user@server
  3. Select the Examine menu and then click Examine SSL/TLS Connection:
  4. Enter the SSL Host and Port of the target system:
  5. Wait for it to load, then select the public certificate and click on PEM:
  6. Export the certificate and save it.
  7. Go back to the main screen and select the Open an existing keystore from disk option, select cacerts (for example $JAVA_HOME/lib/security/cacertsthen enter the password (pass mặc định (the default) là changeit).
  8. Select the Import a trusted certificate into the loaded keystore button:
  9. Select the certificate that was saved in step 6 and confirm that you trust it, giving it an appropriate alias (e.g.: confluence).
    1. You may hit this error: 
    2. If so, hit OK, and then accept the certificate as trusted.
  10. Save the Key Store to disk:
  11. Restart your application.
  12. Test that you can connect to the host. GOOK LUCKY!
Cách khác nếu trên thất bại

Add SSL Certificates automatically!
Kiểm tra và dùng 1 trong các cách dưới đây !
  1. Make sure you have imported the public certificate of the target instance into the truststore according to the Connecting to SSL Services instructions.
  2. Make sure any certificates have been imported into the correct truststore; you may have multiple JRE/JDKs. See Installing Java for this.
  3. Check to see that the correct truststore is in use. If -Djavax.net.ssl.trustStore has been configured, it will override the location of the default truststore, which will need to be checked.
  4. Check if your Anti Virus tool has "SSL Scanning" blocking SSL/TLS. If it does, disable this feature or set exceptions for the target addresses (check the product documentation to see if this is possible).
  5. If connecting to a mail server, such as Exchange, ensure authentication allows plain text.
  6. Verify that the target server is configured to serve SSL correctly. This can be done with the SSL Server Test tool.

Source: confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html
Comment