The “PKIX path building failed” error is a common error that occurs when trying to establish a secure connection using the SSL/TLS protocol. It typically occurs when the client’s truststore does not contain the necessary root certificate or intermediate certificate for the server’s SSL certificate.

What Causes the Error

  • Missing or expired root or intermediate certificates in the truststore
  • Incorrect truststore configuration
  • Mismatched SSL certificate on the server
  • Incorrect URL or IP address used to connect to the server

How to Fix the Error

  1. Verify the SSL certificate on the server
  2. Obtain the necessary root and intermediate certificates
  3. Configure the truststore correctly
  4. Ensure the correct URL or IP address is used when connecting to the server

Code Example: Java

import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

public class TrustStoreExample {

  public static void main(String[] args) throws Exception {

    String trustStoreFile = "/path/to/truststore.jks";
    char[] trustStorePassword = "password".toCharArray();

    KeyStore trustStore = KeyStore.getInstance("JKS");
    trustStore.load(new FileInputStream(trustStoreFile), trustStorePassword);

    TrustManagerFactory trustManagerFactory =
        TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    trustManagerFactory.init(trustStore);

    TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
    X509TrustManager trustManager = (X509TrustManager) trustManagers[0];

    trustManager.checkServerTrusted(new X509Certificate[] {}, "RSA");
  }
}

Common Solutions

  • Updating the truststore to include the necessary root and intermediate certificates
  • Disabling SSL certificate validation (not recommended for production environments)
  • Verifying the SSL certificate details on the server to ensure they match the expected values
  • Checking the URL or IP address being used to connect to the server

Troubleshooting Tips

  1. Check the server’s SSL certificate to ensure it is valid and not expired
  2. Verify the root and intermediate certificates are included in the truststore
  3. Ensure the truststore is configured correctly and the correct password is being used
  4. Try connecting to the server using a different URL or IP address to rule out any network issues

Code Example: Python

import ssl
import socket

context = ssl.create_default_context()

# Disable certificate validation (not recommended for production environments)
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE

# Connect to the server
conn = context.wrap_socket(socket.socket(socket.AF_INET),
                            server_hostname='www.example.com')
conn.connect(('www.example.com', 443))

Best Practices

  • Keep the truststore up to date with the latest root and intermediate certificates
  • Verify the SSL certificate details on the server before establishing a secure connection
  • Regularly check for and resolve any SSL certificate issues on the server
  • Use a tool such as OpenSSL to test the SSL connection to the server

Conclusion

The “PKIX path building failed” error can be caused by various factors such as missing or expired root and intermediate certificates, incorrect truststore configuration, and incorrect URL or IP address used to connect to the server. By verifying the SSL certificate on the server, obtaining the necessary root and intermediate certificates, configuring the truststore correctly, and ensuring the correct URL or IP address is used, this error can be resolved. The code example above demonstrates how to configure the truststore in Java.

Leave a Reply