Recaptcha PKIX Error

[Tom Martin]

Hi folks,

We started seeing a PKIX certificate error which appears to be related to recaptcha:

5057 ERROR_SERVICE_UNREACHABLE (error while making http request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)

We imported three certificates into tomcat's keystore:

www.recaptcha.net

www.google.com

www.gstatic.com

We then restarted the servers, and the error persisted.  The servers and java versions are fairly recent, so I wouldn't expect it to necessarily be root cert related, though I don't know that for sure.  

Another though I had would be to toggle the certificate chain setting from "Root Certificate Only" to "Entire Certificate Chain".  Would that help?

Appreciate any advice,

Thanks!

[Tom Martin]

Forgot the most important part of the error:

5032 ERROR_CAPTCHA_API_ERROR (unexpected error during reCaptcha API execution: 5057 ERROR_SERVICE_UNREACHABLE (error while making http request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target))

Thanks!

[Eduardo Pastrana]

Hi Tom, did you finally solve this?

Ed

[Jason Rivard]

Importing google's certs should not required.  There are only two likely reasons this would happen.  1) your using a truly ancient java build with ancient cacerts, 2) there is a proxy/firewall between the PWM server that is presenting a bogus certificate.

[Lec D Maj]

This error resulted from google changing certificates for www.recaptcha.net and there being multiple certificates available. By default openssl does not provide all certificates. JAVA code was written by our colleague to connect multiple times over port 443 to try to get all the certificates that are present. Once they are retrieved they were added to keystore. This resolved the issue.