Apex Code Development You need to sign in to do that
Don't have an account?
Filikin unable to find valid certification path to requested target - could Salesforce be caching certs?
Hi,
I know similar questions on this have been asked before, but jus tin case someone has an answer.
I am making SOAP callouts from asynchrous code and it was all working fine until the certs expired on the server I was calling.
the certs were replaced, but now I get the following error:
Failed to loginSystem.CalloutException: IO Exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Is it possible that Salesforce is caching the cert somewhere?
I tried deleting the remote site in the security controls and recreating it, but it made no difference.
The guy in charge of the server I am calling has come back with this:
I checked the following link: http://wiki.developerforce.com/index.php/Outbound_Messaging_SSL_CA_Certificates
Our certificate was signed by the following root certificate: COMODO High-Assurance Secure Server CA
Which in turn was signed by AddTrust External CA Root
This I can find in the list: http://wiki.developerforce.com/index.php/Outbound_Messaging_SSL_CA_Certificates#addtrustexternalca
The values seem to match, so the certificate should be recognised fine.
We do trust GeoTrust Root CAs - we likely don't trust the Intermediate CA cert that was used to sign your server cert. It's your responsibility to configure your SSL Endpoint to include the Intermediate CA cert in the cert chain that is presented during the SSL handshake, so that we can walk the chain back to a trusted root. At the moment you're only exposing your server's cert, and not the intermediate CA. I suspect this is the issue.
All Answers
It sounds like your SSL endpoint didn't get configured properly when you deployed the new cert. We only trust Root CA certs in the platform, and it's up to your server to send any required intermediate CA certs during the SSL handshake.
If you configure your endpoint to send the intermediate certs your problem should just go away.
Hi,
this problem is back again - the error is System.CalloutException: IO Exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
But only in production - it works fine in the sandbox.
Which to me indicates that the problem is at the Salesforce end
What's the URL you're trying to connect to. I'll check it out for you
thanks, the endpoint is:
https://www.visorsoftware.com/visor/accountsiq/dashboard/integration/integration_1_1.asmx
Your SSL Endpoint is mis-configured. You need to include your intermediate CA cert
You can see that you're not sending the intermediate if you run "openssl s_client -showcerts -connect www.visorsoftware.com:443"
thanks - why does it work with the sandbox?
In my testing from sandbox, it doesn't. This is what we see from everyone of our sandboxes.
got Exception : javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Remote server's SSL/TLS configuration has one or more errors or warnings
The server's hostname, www.visorsoftware.com, exists in the supported set from the certificate: visorsoftware.com, and www.visorsoftware.com
Error: No certificates in the chain are trusted by Salesforce.com's list of trusted certificate authority certificates
Remote Server Certificate Chain
Valid between 4/2/2012 9:15:19 AM PDT and 7/4/2013 11:00:30 AM PDT
Issuer: CN=GeoTrust SSL CA, O="GeoTrust, Inc.", C=US
I am going to gibber quitely in a corner.
This code worked last Wednesday in the sandbox, and only failed when I switched to production to demo it to the customer.
But now, as you pointed out, it fails in the sandbox.
Is the problem that Salesforce don't trust GeoTrust?
We do trust GeoTrust Root CAs - we likely don't trust the Intermediate CA cert that was used to sign your server cert. It's your responsibility to configure your SSL Endpoint to include the Intermediate CA cert in the cert chain that is presented during the SSL handshake, so that we can walk the chain back to a trusted root. At the moment you're only exposing your server's cert, and not the intermediate CA. I suspect this is the issue.
Many thanks for the help.
The other cloud provider switched servers between me testing with the sandbox and switching to production.
The new server had missed an SSL update from GeoTrust.
Fixed now.
http://stringclass.blogspot.in/2015/07/troubleshooting-salesforce.html
2) Preferences box prompt out, choose “Network Connections”.
3) Select “Manual” from Action Provider drop down list..Host and proxy values
I have the same problem, with the following error : System.CalloutException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
do you have a solution please ?
Hi Filikin, and thanks for your answer, how did you solve the problem?