Fixing Java HTTPS connection behind Internet proxy causes SSLHandshakeException


We often need to do development behind a corporate proxy and during development. Most of us use java-based tools like Gradle, Maven, and Eclipse for the development which needs to access HTTPS-based repositories on the internet or some HTTPS-REST API from Java code. During the execution of Java code or Maven or Gradle build we get the exception SSLHandshakeException as given below.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1731)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:925)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1197)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1181)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:133)
at SampleJavaURLTest.main(SampleJavaURLTest.java:116)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
... 11 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
... 17 more

This exception occurs due to the use of a self-signed certificate on proxy servers, as Java code is not able to verify this certificate. The same error will occur in the case of accessing HTTPS resources configure using a self-signed certificate.

The same error will occur in web browsers also if the root CA certificate is not added to the trusted store.

To resolve this error we can either disable cert validation by java run time argument or programmatically or add the used root CA certificate to Java trusted certificate store.

Adding a CA certificate to the java cert store can be done in several ways using keytool utility of Java SDK. You can refer keytool (oracle.com).

Using command-line options is time-consuming, I will recommend using KeyStore Explorer (keystore-explorer.org) GUI tool to do this.

Steps to import root CA certificate to java Trusted CA store

1- Find the CA certificate, if you don’t have that certificate then you can do this by using Chrome or Edge web browser. Just open URL in the browser and export CA certificate. Make sure to export in base64 format. Check this video to export the certificate.

Exporting SSL certificate using a web browser

2- Determine the used java path if you have more than one version installed, or optionally you can add the certificate to all Java installations.

3- Run the Keyexplorer tool after downloading from KeyStore Explorer – Download (keystore-explorer.org) you can download the appropriate installer or zip version. Run kes file exe or jar and import certificate into cacerts file of java. It can be found in the following typical location C:\Program Files\Java\jdk-18.0.1.1\lib\security

You can refer following video to do this

This will solve problems for that domain. For each domain, you need to do this.


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.