Salesforce

WorldServer - Error 'WorldServer API not available' in New UI and 'Unable to find valid certification path to requested target' in WorldServer logs.

Printable View
« Go Back

Information

 
Article TypeSolution Article
Scope/EnvironmentWorldServer
Symptoms/Context
After updating the certificate in CACERTs I received error  WorldServer API not available in the new UI only (Legacy UI is fine) and stack trace in logs.

Error message in idiomrun-stderr.xxx.log
  
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
    at org.springframework.http.client.SimpleBufferingClientHttpRequest.executeInternal(SimpleBufferingClientHttpRequest.java:78)
    at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
    at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53)
    at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:619)
    ... 12 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
    ... 26 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
    ... 32 more

 
Resolution
The following steps need to be done to resolve issue. This may be different for others but provide useful information for checking.

World Server API Issue

1. Check CACERTS
Example 
keytool -list keystore "W:\Program Files\Idiom\WorldServer\jre\jre\lib\security\cacerts"

2. Add Logging to Tomcat/java startup service. Turning on logging in general.properties alone did not provide any information

In WorldServer\tomcat\bin\catalina.bat

Example:
  
set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.debug=ssl:handshake
-Djavax.net.debug=all -Djavax.net.ssl.trustStore=trustStore

3. From the debug logs, found that WorldServer was looking at JSSEcacerts (rather than cacerts)

4. Exported JSSEcacerts and found that it had the wrong and expired certificate which was causing issues 
keytool -list keystore "W:\Program Files\Idiom\WorldServer\jre\jre\lib\security\cacerts"

5. Removed any incorrect certificates 
keytool -delete -alias <name> -keystore "<wrong path>"

6. Added the correct certificate

Example 
keytool -importkeystore -srckeystore "xxxx.pfx" -srcstoretype pkcs12 -destkeystore "W:\Program Files\Idiom\WorldServer\jre\jre\lib\security\cacerts" -deststoretype jks

7. Restarted Idiom Service and API issue was removed and logs no longer showed SSL issues.
 
Root Cause
As indicated by error message: unable to find valid certification path to requested target. The error message did not specify the incorrect path or  provide further detail.
Reference
Attachment 1 
Attachment 2 
Attachment 3 
Attachment 4 
Attachment 5 
Powered by