Help with error "sun.security.validator.ValidatorException: PKIX path building failed:" even though certificate is present in JDK and $JAVA_HOME is set correctly
778 views
Skip to first unread message
David King
Oct 23, 2018, 5:14:48 PM10/23/18
to OpenRefine
Hoping someone can help. Trying to use OpenRefine to fetch data example
https://mapit.mysociety.org/nearest/4326/-1.151886883,53.20483606.json
I'm getting the error sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Followed the documentation on https://github.com/OpenRefine/OpenRefine/wiki/Troubleshooting:-Fetching-data-from-URLs and it seems the certificate is present in the JDK and $JAVA_HOME is set correctly (entering $JAVA_HOME/bin/java -version gives me:
java version "11.0.1" 2018-10-16 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.1+13-LTS)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.1+13-LTS, mixed mode)
)
Does anyone know what the problem might be?
Owen Stephens
Oct 24, 2018, 4:25:50 AM10/24/18
to OpenRefine
It definitely seems likely that the problem is with the certificate (or some part of the chain) not being installed in the right cacerts file. Testing locally I don't get this error.
Could you provide some more information:
What operating system
What version of OpenRefine
When you say " it seems the certificate is present in the JDK " - what steps have you done to check this?
Have you tried following the instructions for updating your cacerts using keytool? If so, what certificate did you add?
Thanks
Owen
David King
Oct 24, 2018, 4:39:44 AM10/24/18
to openr...@googlegroups.com
I'm on macOS High Sierra 10.13.6
Openrefine 3.0
To see if the certificate was present in the JDK, followed http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html and dumped the cacerts file into a .txt that seems to have the Root Certificate in there (excerpt below and file attached)
As it seemed to be there, I didn't use Keytool to add a certificate. Do you need more than just the Root certificate in cacerts?
*******************************************
Alias name: identrustdstx3 [jdk]
Creation date: 1 Dec 2017
Entry type: trustedCertEntry
Owner: CN=DST Root CA X3, O=Digital Signature Trust Co.
Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
Serial number: 44afb080d6a327ba893039862ef8406b
Valid from: Sat Sep 30 22:12:19 BST 2000 until: Thu Sep 30 15:01:15 BST 2021
Certificate fingerprints:
SHA1: DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13
SHA256: 06:87:26:03:31:A7:24:03:D9:09:F1:05:E6:9B:CF:0D:32:E1:BD:24:93:FF:C6:D9:20:6D:11:BC:D6:77:07:39
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C4 A7 B1 A4 7B 2C 71 FA DB E1 4B 90 75 FF C4 15 .....,q...K.u...
0010: 60 85 89 10 `...
]
]
*******************************************
--
You received this message because you are subscribed to a topic in the Google Groups "OpenRefine" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/openrefine/X1kEDG_8GbU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to openrefine+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Owen Stephens
Oct 24, 2018, 4:58:16 AM10/24/18
to OpenRefine
Hi David
The details of that certificate don't seem to me to match the ones on the mapit site (which you can examine by visiting the site in a browser and clicking the padlock icon to get the cert details)
Looking at the Lets Encrypt site I can see they say "... there are two certificates available that both represent our intermediate. One is signed by DST Root CA X3, and the other is signed by ISRG Root X1. The easiest way to distinguish the two is by looking at their Issuer field."
It looks to me like you have the one signed by DST Root CA X3 installed, but the mapit site uses the one signed by ISRG Root X1.
I think if you install the ISRG Root X1 signed cert from https://letsencrypt.org/certificates/ then you will get this working.
Owen
David King
Oct 24, 2018, 6:04:13 AM10/24/18
to openr...@googlegroups.com
Went to add the certificate, but Keytool already had the certificate imported as the below.
Wondering if OpenRefine can't find the certs? Assume I have $JAVA_HOME set correctly? Used this guide http://www.sajeconsultants.com/how-to-set-java_home-on-mac-os-x/ and set it to
JAVA_HOME=$(/usr/libexec/java_home)
export JAVA_HOME;
******************************************* Alias name: letsencryptisrgx1 [jdk] Creation date: 1 Dec 2017 Entry type: trustedCertEntry Owner: CN=ISRG Root X1, O=Internet Security Research Group, C=US Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US Serial number: 8210cfb0d240e3594463e0bb63828b00 Valid from: Thu Jun 04 12:04:38 BST 2015 until: Mon Jun 04 12:04:38 BST 2035 Certificate fingerprints: SHA1: CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8 SHA256: 96:BC:EC:06:26:49:76:F3:74:60:77:9A:CF:28:C5:A7:CF:E8:A3:C0:AA:E1:1A:8F:FC:EE:05:C0:BD:DF:08:C6 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 4096-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] #2: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] #3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 79 B4 59 E6 7B B6 E5 E4 01 73 80 08 88 C8 1A 58 y.Y......s.....X 0010: F6 E9 9B 6E ...n ] ] *******************************************
Owen Stephens
Oct 24, 2018, 6:07:46 AM10/24/18
to openr...@googlegroups.com
Can you double check you are using the cacerts in the OpenRefine path (as mentioned in https://github.com/OpenRefine/OpenRefine/wiki/Troubleshooting:-Fetching-data-from-URLs#sunsecurityvalidatorvalidatorexception-pkix-path-building-failed)
OR (what I do)
rather than using the Mac specific version of OpenRefine, run the Linux version - it runs fine on Mac, although you have to start it from a terminal/command line. If you do this it should use your default cacerts
Owen
Owen Stephens
Owen Stephens ConsultingYou received this message because you are subscribed to the Google Groups "OpenRefine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openrefine+...@googlegroups.com.
David King
Oct 24, 2018, 6:42:52 AM10/24/18
to openr...@googlegroups.com
So Openrefine has it's own JDK and certs? I dumped the cacerts into a .txt file (attached) which had ISRG Root X1 present but not DST Root CA X3! I copied DST Root CA X3 out of my keychain, converted it to .der and imported it in using keytool
keytool -import -alias mapit -keystore /Applications/OpenRefine.app/Contents/PlugIns/jdk1.8.0_60.jdk/Contents/Home/jre/lib/security/cacerts -file /Users/djmk/Desktop/DSTRootCAX3.der
Now it works!
Thank you for your help. Relieved to have it fixed, though a little confused about why a) OpenRefine doesn't just access the certs already in my system KeyChain and b) why the JDK in OpenRefine would be missing DST Root CA X3?
Will have to write up the process so I can replicate if OpenRefine is missing any other certs.
Owen Stephens
Oct 24, 2018, 6:45:10 AM10/24/18
to openr...@googlegroups.com
I’m not entirely clear why the Mac version uses a separate cacerts file to be honest - I only found it out through investigation of a previous similar problem. It doesn’t apply to OR on other operating systems.
Owen
Owen Stephens
Owen Stephens Consulting<java_cacerts_openrefine.txt>
Reply all
Reply to author
Forward
0 new messages