SDL WorldServer - Error 'WorldServer API not available' in New UI and 'Unable to find valid certification path to requested target' in WorldServer logs.

« Go Back

Information

Article Type	Solution Article

Scope/Environment	SDL WorldServer

Symptoms/Context

After updating the certificate in CACERTs I received error WorldServer API not available in the new UI only (Legacy UI is fine) and stack trace in logs.

Error message in idiomrun-stderr.xxx.log

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
    at org.springframework.http.client.SimpleBufferingClientHttpRequest.executeInternal(SimpleBufferingClientHttpRequest.java:78)
    at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
    at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53)
    at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:619)
    ... 12 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
    ... 26 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
    ... 32 more

Resolution

The following steps need to be done to resolve issue. This may be different for others but provide useful information for checking.

World Server API Issue

1. Check CACERTS
Example

keytool -list keystore "W:\Program Files\Idiom\WorldServer\jre\jre\lib\security\cacerts"

2. Add Logging to Tomcat/java startup service. Turning on logging in general.properties alone did not provide any information

In WorldServer\tomcat\bin\catalina.bat
Example

set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.debug=ssl:handshake

-Djavax.net.debug=all -Djavax.net.ssl.trustStore=trustStore

3. From the debug logs, found that WorldServer was looking at JSSEcacerts (rather than cacerts)

4. Exported JSSEcacerts and found that it had the wrong and expired certificate which was causing issues

keytool -list keystore "W:\Program Files\Idiom\WorldServer\jre\jre\lib\security\cacerts"

5. Removed any incorrect certificates

keytool -delete -alias <name> -keystore "<wrong path>"

6. Added the correct certificate

Example

keytool -importkeystore -srckeystore "xxxx.pfx" -srcstoretype pkcs12 -destkeystore "W:\Program Files\Idiom\WorldServer\jre\jre\lib\security\cacerts" -deststoretype jks

7. Restarted Idiom Service and API issue was removed and logs no longer showed SSL issues.

Root Cause

As indicated by error message: unable to find valid certification path to requested target. The error message did not specify the incorrect path or provide further detail.

Reference

This article is also relevant:

WorldServer - Unable to login to WorldServer following upgrade to 11.x - WorldServer API not available!

Attachment 1

Attachment 2

Attachment 3

Attachment 4

Attachment 5