Apex Code Development You need to sign in to do that
Don't have an account?
Bms270 PKIX path building failed
Hi,
When our app makes a callout to an external webservice over SSL, we get the following Exception:
System.CalloutException: IO Exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This doesn't happen with regular http callout. our certificate is NOT expired on the target server and everything seems to be normal. no alert or anything from the browser.
any idea?
Thanks,
P.S We need to resolve this for security review.
My problem solved! there are two things to check,
1. check to make sure you have imported your certificate to your java keystore.
2. check to make sure you have all your certificate bundle files installed in your apache webserver.
there is a java class "SSLPoke.class" which you can download here:
(class) http://confluence.atlassian.com/download/attachments/180292346/SSLPoke.class?version=1&modificationDate=1236556489366
(src) http://confluence.atlassian.com/download/attachments/180292346/SSLPoke.java?version=1&modificationDate=1236556497004
and here's how to use it:
It simply connects to a SSL service, sends a byte of input, and watches the output. For instance, connecting to a local HTTPS server on port 443 (the HTTPS default) with a untrusted (self-signed) certificate.
if you get "successfully connected" then you are good, otherwise you need to check the above items I mentioned.
for more information please see the link below:
http://confluence.atlassian.com/display/CONFKB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed+sun.security.provider.certpath.SunCertPathBuilderException
Thanks,
All Answers
Thanks for the reply but my cert is signed by "Starfield Technologies, Inc." which should be listed. I'll check that list.
Thanks
I found it in the list, here's the link:
http://wiki.developerforce.com/index.php/Outbound_Messaging_SSL_CA_Certificates#Entry:_starfieldclass2ca
any other possible issue?
My problem solved! there are two things to check,
1. check to make sure you have imported your certificate to your java keystore.
2. check to make sure you have all your certificate bundle files installed in your apache webserver.
there is a java class "SSLPoke.class" which you can download here:
(class) http://confluence.atlassian.com/download/attachments/180292346/SSLPoke.class?version=1&modificationDate=1236556489366
(src) http://confluence.atlassian.com/download/attachments/180292346/SSLPoke.java?version=1&modificationDate=1236556497004
and here's how to use it:
It simply connects to a SSL service, sends a byte of input, and watches the output. For instance, connecting to a local HTTPS server on port 443 (the HTTPS default) with a untrusted (self-signed) certificate.
if you get "successfully connected" then you are good, otherwise you need to check the above items I mentioned.
for more information please see the link below:
http://confluence.atlassian.com/display/CONFKB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed+sun.security.provider.certpath.SunCertPathBuilderException
Thanks,
I am having the same probme Patros. We have a WFC webservice set up on one of our servers. We have a certificate through GoDaddy and the service works great when called through a browser, but we get the ".. unable to find valid certification path to requested target..." thrown by our Apex code when we try to connect. When set up to use regular http it works fine.
Patros, did you ever figure this out?
I am having the exact problem but using a windows server. Any updates jhartfiel2 or Patros?
Thank you, Dan
Dan123,
After opening a case with SF, it turns out that the issue was on our side of things. When our certificates got installed, there were intermediate certificates that apparently did not get installed and are required. After we followed the GoDaddy installation procedure again they got installed and everything worked fine.
Here is our answer for anyone else who has this problem:
Since we are using a load balancer this requires 4 certs to be installed in a specific order. It turns out the certs were installed in the wrong order. Once the order was corrected the error went away and everything worked.
Is really good news you get this resolved, thanks for sharing your results. We are also facing a similar scenario with GoDaddy's cert and load balancer.
Additionally Could you tell us please the order and 4 certificates you needed to fix it?
Much appreciated,
When we purchased the cert we received multiple certs that can be installed. When you are not using a load balancer you do not need to install all of them. Since we are using the load balancer we needed to install all of them on the load balancer. They were originally installed in the in-correct order which caused our issue. The certs themselves were all in one file and the order they were in the file was how we successfully installed them. I wish I could give you more information but that is all I know.
Hi! can you help doing that?
Is something you do in Salesforce or you have to install in your pc?
Hi Developers,
I'm using a salesforce site that is making a call out to another server and posting variables to it. The site was working well, submitting and getting an xml request. I dind't set up any certificates or nothing.
However, this morning (4/11) I suddenly started getting this PKIX certificate error!
Is this something to do with the other server or a salesforce Issue. I've read around and I can't really grasp what changed between Fri and Monday.
Do I have to buy a certificate? Do I really need it? Is it optional?
“sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target”
Thanks!
did you update the certificate in the server?
Hi,
I have the same error when having a http POST request from one of my APEX classes. The endpoint I send the request is signed by GeoTrust and it is in the list of CA providers salesforce accepts. I have the public key from the endpoint. I tried your suggestion with the SSLPoke
java SSLPoke <external_server> 443 - unable to find valid certification path to requested target
java -Djavax.net.ssl.trustStore=cacerts SSLPoke <external_server> 443 - Connection successful
how do I import this certificate I have or adding this truststore to salesforce?
Thanks
Prasanna
Hi,
I am using a wildcard certificate with HAproxy, and get the same error, however my wild card certificate is issued by Comodo.
using SSLPoke :
java SSLPoke <external_server> 443
The connection is successful.
Does any one have any experience of using a wildcard cert with Salesforce and HAProxy?
Regards
Sunny
https://minecraftapkmods.com/
Pls check with your Client IT Team for this Error.
OR It might be error with the certification as they might not be configured Properly or Its validation