The “PKIX path building failed” error is a common error that occurs when trying to establish a secure connection using the SSL/TLS protocol. It typically occurs when the client’s truststore does not contain the necessary root certificate or intermediate certificate for the server’s SSL certificate.
What Causes the Error
- Missing or expired root or intermediate certificates in the truststore
- Incorrect truststore configuration
- Mismatched SSL certificate on the server
- Incorrect URL or IP address used to connect to the server
How to Fix the Error
- Verify the SSL certificate on the server
- Obtain the necessary root and intermediate certificates
- Configure the truststore correctly
- Ensure the correct URL or IP address is used when connecting to the server
Code Example: Java
import java.io.FileInputStream; import java.security.KeyStore; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509TrustManager; public class TrustStoreExample { public static void main(String[] args) throws Exception { String trustStoreFile = "/path/to/truststore.jks"; char[] trustStorePassword = "password".toCharArray(); KeyStore trustStore = KeyStore.getInstance("JKS"); trustStore.load(new FileInputStream(trustStoreFile), trustStorePassword); TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(trustStore); TrustManager[] trustManagers = trustManagerFactory.getTrustManagers(); X509TrustManager trustManager = (X509TrustManager) trustManagers[0]; trustManager.checkServerTrusted(new X509Certificate[] {}, "RSA"); } }
Common Solutions
- Updating the truststore to include the necessary root and intermediate certificates
- Disabling SSL certificate validation (not recommended for production environments)
- Verifying the SSL certificate details on the server to ensure they match the expected values
- Checking the URL or IP address being used to connect to the server
Troubleshooting Tips
- Check the server’s SSL certificate to ensure it is valid and not expired
- Verify the root and intermediate certificates are included in the truststore
- Ensure the truststore is configured correctly and the correct password is being used
- Try connecting to the server using a different URL or IP address to rule out any network issues
Code Example: Python
import ssl import socket context = ssl.create_default_context() # Disable certificate validation (not recommended for production environments) context.check_hostname = False context.verify_mode = ssl.CERT_NONE # Connect to the server conn = context.wrap_socket(socket.socket(socket.AF_INET), server_hostname='www.example.com') conn.connect(('www.example.com', 443))
Best Practices
- Keep the truststore up to date with the latest root and intermediate certificates
- Verify the SSL certificate details on the server before establishing a secure connection
- Regularly check for and resolve any SSL certificate issues on the server
- Use a tool such as OpenSSL to test the SSL connection to the server
Conclusion
The “PKIX path building failed” error can be caused by various factors such as missing or expired root and intermediate certificates, incorrect truststore configuration, and incorrect URL or IP address used to connect to the server. By verifying the SSL certificate on the server, obtaining the necessary root and intermediate certificates, configuring the truststore correctly, and ensuring the correct URL or IP address is used, this error can be resolved. The code example above demonstrates how to configure the truststore in Java.