Thursday, April 19, 2012

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Few days back I have worked in one payment gateway integration project in ColdFusion 9 and we have delivered that successfully but after 8 months the client called us and said that there is some issue in the Payment gateway and he has not changed a single line of code. He sent us the following error message:

"javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target".

After some research I found that the issue was due to the SSL validation error in the web service call of the Payment gateway:

These are the steps which I followed to recover from that issue:

  1. Browse the SSL enabled url(wsdl url from web service) from the FireFox.
  2. Click the extreme left of your browser URL address bar to view the SSL certificate.As shown below.     
  3. Click on "More Information" button as shown below.                                                                          
  4. Click on "View Certificate" button as shown below.                                                                            
  5. Click on "export" button as shown below.
  6.  
  7. Save the file in some location then change the extension of the file to ".cer" from any other extension.
  8. Copy the file into “{ColdFusion-Root}\runtime\jre\lib\security” .
  9. Open your command prompt then go to "{ColdFusion-Root}\runtime\jre\lib\security".
  10. Run the following command:
  11. "keytool -import -keystore cacerts -alias <any Unique Name> -file <fileName>.cer"
  12. Enter the password: "changeit"(This is the default password and it will not be visible to the user while typing)
  13. Then you will get one confirm message in command prompt type "Yes".
  14. After that you will get one message :"Certificate was added to keystore".

After the above steps restart your ColdFusion Server. Then the web service will work.

35 comments:

  1. Replies
    1. Thanks but have a question:
      Keytool is not a recognized command how to run it?

      Delete
    2. It seems your bin path is not set in environment variable. Keytool present in "C:\Program Files\Java\jdk1.7.0_11\bin"(This is in my machine, may be different for you). You have to set up this path in environment then it will work.

      Delete
    3. Thanks for your response, I runned this command:
      C:\JRun4\jre\bin>keytool -import -keystore cacerts -alias any_name -file c:\JRun4\jre\lib\security\some_name.cer
      but when i restart my server the problem wans't solve ¿i've missed something? please i need help

      Delete
    4. If you are facing the problem "Keytool is not a recognized command". Then see whether "Keytool" is present in that particular directory or not. If it not there then please install a latest jre or jdk in your machine then you can use "Keytool" of that.

      If your getting some different error then please give me details.

      Delete
    5. Keytool is present in c:\JRun4\jre\bin the command executed succesfully but the error:
      javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
      continue throwing

      Delete
    6. I need some time to replicate the issue on my development box.

      Please provide me following details :
      1. Which version of ColdFusion. Is it Single Server or Multi server installation.
      2. If possible please provide me the Web Service URL.

      Delete
    7. My coldfusion server: ColdFusion 9 Multi-server installation
      Web Service: https://www.multimerchantvisanet.com/WSPasarelaVisa/ValidaPost.asmx?wsdl

      Delete
    8. The cert is on the cert-store but the problem now is that my server is not consuming the webservice response, any suggestion?

      Delete
    9. Sorry!!! I couldn't able to see the issue in my local development machine. Also I am using a single instance installation not mullti server.

      Delete
    10. I'm running ColdFusion 10; added the certificate to the keystore but still get the message "Error: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated.".

      When I run the SOAP request over HTTP is working correct, over HTTPS it doesn't...

      I'm working with a Self-Signed Certificate, is this a problem?

      Delete
    11. Yes, I think so. You have to install your ssl certificate in your cf server.

      Delete
  2. This was very helpful, thanks for posting! Great work. Easy to understand and follow your steps.

    ReplyDelete
  3. Replies
    1. Roul = did you see my email about part time cold fusion programming on projects here in the US?

      Delete
  4. When you say : "After the above steps restart your ColdFusion Server. Then the web service will work"
    It is good to understand that it means restart the server and not only the deployment (e.g in Weblogic)

    ReplyDelete
    Replies
    1. Yes, I mean the application server.

      Delete
  5. Upendra, do you know the steps to take for this issue in Cold Fusion 10?

    ReplyDelete
    Replies
    1. Hi Mike,

      Can you check the above steps in "{ColdFusion 10 Root}\jre\lib\security\" directory.

      Delete
  6. Excellent article, and a life-saver!

    So the obvious question is... how/why did this exception come up after months of not showing up? We had the same experience- no single line of code change, all transactions working fine, and all of a sudden, this appeared!

    ReplyDelete
    Replies
    1. This was likely because of some change in the certificate itself.

      Delete
  7. Very nice, thank you! Do note that this solution only works on Windows, here is the solution for those with CF on a Mac:

    1. instead of going to {ColdFusion-Root}\runtime\jre\lib\security, go to /Library/Java/Home/lib/security to place your certificate. You will be prompted to enter the computer's admin password.

    2. instead of running the command:
    keytool -import -keystore cacerts -alias -file .cer,

    enter this command from Terminal:

    sudo keytool -import -keystore cacerts -alias -file .cer

    Notice the "sudo" in the beginning so that you run this command as the Admin.

    ReplyDelete
  8. Do you only need the web service cert of the entire cert chain from CA to webservice?

    ReplyDelete
    Replies
    1. Not getting you exactly. Can you please explain.

      Delete
  9. After "Certificate was added to keystore",I am getting an error as java.io.FileNotFoundException:cacarts

    ReplyDelete
    Replies
    1. If you can provide exact stack trace then it would be easier to find out cause of the issue.

      Delete
  10. Last 3 lines on command prompt are as :
    Trust this certificate?
    certificate are added to key store
    keytool error:java.io.FileNotFoundException:cacarts(Access is denied)

    ReplyDelete
    Replies
    1. It seems a directory access permission issue. Make sure where your cert file present you have provided enough permission.

      Delete
  11. Any ideas how to apply this to ColdFusion 11 on Server 2012? Is it ColdFusion11\jre\lib\security?

    ReplyDelete
    Replies
    1. For CF11 got to {ColdFusion Root}\jre\bin\ and follow the process.

      Delete
  12. If you are trying to call web services in CF 11 (and maybe 10 but check that yourself), CF expects the web service or any CFHTTP call to use the WebSocket Service and port 8577 in a standard setup. This is because the WebSocket Services have been optimized for web services and CFHTTP also uses WebService Sockets. I run CF 11 on my IIS server and port 8577 is blocked by a firewall. When I tried to connect, it sends back "I/O Exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" for CFHTTP and web services. It would seem like it requires adding custom certificates to the CACERT for JRE but that is not the solution for me. There is a simple fix to get this running with IIS (at least IIS) if you do not want to unblock the WebSocket Service and you don't need that performance to run natively. All you have to do is go in to the CF Admin dashboard and change the WebSocket Service to "Use Proxy". Restart the CF ApplicationServer service and it should work just fine. If these directions are not perfect I apologize but it will lead you to get it working.

    ReplyDelete
  13. If you need your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (no matter why you broke up) you need to watch this video
    right away...

    (VIDEO) Want your ex CRAWLING back to you...?

    ReplyDelete

Followers