Recaptcha PKIX Error

481 views
Skip to first unread message

Tom Martin

unread,
Jun 4, 2021, 7:39:50 PM6/4/21
to pwm-general
Hi folks,

We started seeing a PKIX certificate error which appears to be related to recaptcha:

5057 ERROR_SERVICE_UNREACHABLE (error while making http request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)

We imported three certificates into tomcat's keystore:

We then restarted the servers, and the error persisted.  The servers and java versions are fairly recent, so I wouldn't expect it to necessarily be root cert related, though I don't know that for sure.  

Another though I had would be to toggle the certificate chain setting from "Root Certificate Only" to "Entire Certificate Chain".  Would that help?

Appreciate any advice,
Thanks!

Tom Martin

unread,
Jun 4, 2021, 7:45:31 PM6/4/21
to pwm-general
Forgot the most important part of the error:

5032 ERROR_CAPTCHA_API_ERROR (unexpected error during reCaptcha API execution: 5057 ERROR_SERVICE_UNREACHABLE (error while making http request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target))

Thanks!

Eduardo Pastrana

unread,
Sep 16, 2022, 12:56:36 PM9/16/22
to pwm-general
Hi Tom, did you finally solve this?

Ed

Jason Rivard

unread,
Sep 16, 2022, 2:58:11 PM9/16/22
to pwm-general
Importing google's certs should not required.  There are only two likely reasons this would happen.  1) your using a truly ancient java build with ancient cacerts, 2) there is a proxy/firewall between the PWM server that is presenting a bogus certificate.

Lec D Maj

unread,
Apr 21, 2025, 1:32:25 PMApr 21
to pwm-general
This error resulted from google changing certificates for www.recaptcha.net and there being multiple certificates available. By default openssl does not provide all certificates. JAVA code was written by our colleague to connect multiple times over port 443 to try to get all the certificates that are present. Once they are retrieved they were added to keystore. This resolved the issue. 
Reply all
Reply to author
Forward
0 new messages