An error occurs when executing an API starting with https in an application running on the JVM.
[Error message]sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[Error summary]class javax.net.ssl.SSLHandshakeException
[Where the error occurred]
Alerts.java[192] sun.security.ssl.Alerts.getSSLException
SSLSocketImpl.java[1949] sun.security.ssl.SSLSocketImpl.fatal
Handshaker.java[302] sun.security.ssl.Handshaker.fatalSE
Handshaker.java[296] sun.security.ssl.Handshaker.fatalSE
ClientHandshaker.java[1509] sun.security.ssl.ClientHandshaker.serverCertificate
The TLS certificate on the API server side has not been imported into the trusted host of the JVM.
Import the API server side TLS certificate into the trusted host of the JVM
There are many articles such as manually downloading the API server side certificate and importing it with keytool. The following tools can be completed on the command line on the server where you want to run the API.
https://github.com/escline/InstallCert
# cd /usr/local/src
# git clone https://github.com/escline/InstallCert
# cd InstallCert
# javac InstallCert.java
The part described as [HOST] sets the domain of the API server.
The part described as [CACERT_PATH] specifies the full path of the keystore file (cacerts). For example, /usr/java/jdk1.8.0_211-amd64/jre/lib/security/cacerts.
# java InstallCert [HOST]:443
# keytool -exportcert -alias [HOST]-1 -keystore jssecacerts -storepass changeit -file [HOST].cer
# keytool -importcert -alias [HOST] -keystore [CACERT_PATH]<javapath>/jre/lib/security/cacerts -storepass changeit -file [HOST].cer
Check the certificate installed in the keystore. If it is displayed, the installation is successful.
# keytool -list -keystore [CACERT_PATH] | grep [HOST]