Salesforce

Error 'WorldServer API not available' in New UI and 'Unable to find valid certification path to requested target' in WorldServer logs.

« Go Back
Information
Solution Article
SDL WorldServer
After updating the certificate in CACERTs I received error  WorldServer API not available in the new UI only (Legacy UI is fine) and stack trace in logs.

Error message in idiomrun-stderr.xxx.log
 
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
    at org.springframework.http.client.SimpleBufferingClientHttpRequest.executeInternal(SimpleBufferingClientHttpRequest.java:78)
    at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
    at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53)
    at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:619)
    ... 12 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
    ... 26 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
    ... 32 more

 
As indicated by error message: unable to find valid certification path to requested target. The error message did not specify the incorrect path or  provide further detail.
The following steps need to be done to resolve issue. This may be different for others but provide useful information for checking.

World Server API Issue

1. Check CACERTS
Example
keytool -list keystore "W:\Program Files\Idiom\WorldServer\jre\jre\lib\security\cacerts"

2. Add Logging to Tomcat/java startup service. Turning on logging in general.properties alone did not provide any information

In WorldServer\tomcat\bin\catalina.bat
Example
set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.debug=ssl:handshake
-Djavax.net.debug=all -Djavax.net.ssl.trustStore=trustStore

3. From the debug logs, found that WorldServer was looking at JSSEcacerts (rather than cacerts)

4. Exported JSSEcacerts and found that it had the wrong and expired certificate which was causing issues
keytool -list keystore "W:\Program Files\Idiom\WorldServer\jre\jre\lib\security\cacerts"

5. Removed any incorrect certificates
keytool -delete -alias <name> -keystore "<wrong path>"

6. Added the correct certificate

Example
keytool -importkeystore -srckeystore "xxxx.pfx" -srcstoretype pkcs12 -destkeystore "W:\Program Files\Idiom\WorldServer\jre\jre\lib\security\cacerts" -deststoretype jks

7. Restarted Idiom Service and API issue was removed and logs no longer showed SSL issues.
 
Attachments
 
 
 
 
 

Powered by