HAPI Client - SSL Handshake Exception connecting with FHIR endpoint

649 views

Skip to first unread message

Avinash Shanbhag

unread,

Nov 30, 2016, 5:35:07 PM11/30/16

to HAPI FHIR, James Agnew, Michele Mottini

Hi HAPI team:

While using HAPI DSTU2 1.4 Client API to connect to following FHIR Endpoint below, I am getting "Invalid Certificate Exception", stack trace pasted further down.

In the past when I have encountered this issue, this has been typically due to self-signed certs not having authorized root CA or some other invalid cert. But, I confirmed with the FHIR Sever team from CareEvaluation (Michele, copied here) that they are using a valid cert from GoDaddy CA authority.

I have no problem calling the /metadata from the browser. It only fails when the call is made thru the HAPI API.

Curious, if others have encountered similar issue and if there are easy ways to overcome it.

Thanks in advance

Avinash

FHIR Endpoint:

https://fhir.careevolution.com/Master.Adapter1.WebClient/api/fhir

Stack trace:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)

at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)

at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)

at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:275)

at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:254)

at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:123)

at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:318)

at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:363)

at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:219)

at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195)

at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86)

at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108)

at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)

at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)

at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)

at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)

at org.avinash.fhirclientjs.authorization.access.AccessTokenProvider.processRequest(AccessTokenProvider.java:128)

at org.avinash.fhirclientjs.authorization.access.AccessTokenProvider.post(AccessTokenProvider.java:98)

at org.avinash.fhirclientjs.authorization.access.AccessTokenProvider.getAccessToken(AccessTokenProvider.java:78)

at org.avinash.fhirclientjs.authorization.controller.AuthorizationController.auth(AuthorizationController.java:140)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:606)

at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:215)

at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:132)

at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:104)

at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:749)

at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:689)

at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:83)

at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:938)

at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:870)

at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:961)

at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:852)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:620)

at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:837)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)

at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)

at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)

at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)

at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1736)

at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1695)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

at java.lang.Thread.run(Thread.java:745)

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)

at sun.security.validator.Validator.validate(Validator.java:260)

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)

... 62 more

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)

at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)

... 68 more

inside Routes

Inside [allPatients] method!

Calling [allpatients] with bean: FhirQueryBean [url=https://fhir.careevolution.com/Master.Adapter1.WebClient/api/fhir, resource=null, id=, auth=true, launch=null]

2016-11-30 17:17:39.373 INFO 819 --- [nio-8000-exec-4] c.u.f.r.c.i.LoggingInterceptor : Client request: GET https://fhir.careevolution.com/Master.Adapter1.WebClient/api/fhir/metadata HTTP/1.1

2016-11-30 17:17:39.373 INFO 819 --- [nio-8000-exec-4] c.u.f.r.c.i.LoggingInterceptor : Client request headers:

User-Agent: HAPI-FHIR/1.4 (FHIR Client)

Accept-Charset: utf-8

Accept-Encoding: gzip

Accept: application/xml+fhir;q=1.0, application/json+fhir;q=1.0

ca.uhn.fhir.rest.client.exceptions.FhirClientConnectionException: Failed to retrieve the servers metadata statement during client initialization. URL used was: {0}

at ca.uhn.fhir.rest.client.RestfulClientFactory.validateServerBase(RestfulClientFactory.java:321)

at ca.uhn.fhir.rest.client.RestfulClientFactory.validateServerBaseIfConfiguredToDoSo(RestfulClientFactory.java:223)

at ca.uhn.fhir.rest.client.BaseClient.invokeClient(BaseClient.java:191)

at ca.uhn.fhir.rest.client.GenericClient$BaseClientExecutable.invoke(GenericClient.java:647)

at ca.uhn.fhir.rest.client.GenericClient$SearchInternal.execute(GenericClient.java:1821)

at ca.uhn.fhir.rest.client.GenericClient$SearchInternal.execute(GenericClient.java:1719)

at org.avinash.fhirclientjs.dao.PatientInfoProvider.queryResurce(PatientInfoProvider.java:133)

at org.avinash.fhirclientjs.dao.PatientInfoProvider.buildPatientInfo(PatientInfoProvider.java:79)

at org.avinash.fhirclientjs.dao.FhirDAO.getAllPatients(FhirDAO.java:242)

at org.avinash.fhirclientjs.api.FhirQueryController.fhirAllPatients(FhirQueryController.java:190)