Skip to main content
Y
yzhang11-Visitor
1-Visitor
July 17, 2017
Solved

How to solve SSLHandshakeException?

  • July 17, 2017
  • 5 replies
  • 12813 views

Hi all,

I am now using getJSON function to get the content from an url, and the code is shown as below:

var params = {

proxyScheme: undefined /* STRING */,

headers: undefined /* JSON */,

ignoreSSLErrors: true /* BOOLEAN */,

useNTLM: undefined /* BOOLEAN */,

workstation: undefined /* STRING */,

useProxy: true /* BOOLEAN */,

withCookies: undefined /* BOOLEAN */,

proxyHost: 'proxy.companyname.com' /* STRING */,

url: "http://gateway-a.watsonplatform.net/visual-recognition/api/v3/classify?api_key=9cf5fa21fe8ff3d9eaa49d0319f329ae5ee7bb89&…" /* STRING */,

timeout: undefined /* NUMBER */,

proxyPort: '8080' /* INTEGER */,

};

// result: JSON

var result = Resources["ContentLoaderFunctions"].GetJSON(params);


I got the error message below:


Wrapped javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

But when I change the url to https://feeds.citibikenyc.com/stations/stations.json, can get the content.

Can anyone help solve this problem? Thank!



Best answer by CRArko

Hi.

 

With that kind of error reported the cause is often that the certificate is missing from the Java keystore.

 

Is this a self-signed certificate? If so, try this procedure out:

 

Import the self-signed certificates from the external server into the ThingWorx trust store using the following steps:

  • Locate trust store used by ThingWorx
    • Enable SSL logging if needed by adding the following parameter: -Djavax.net.debug=ssl
    • Restart Tomcat
    • Review Catalina and stdout logs for the following line:

trustStore is: C:\Program Files\Java\jre1.8.0_141\lib\security\cacerts

  • Download the InstallCert.java script to the ThingWorx machine in the same location as the cacerts file identified above
  • Execute: javac InstallCert.java
  • Execute: java InstallCert externalserver:port
  • The Java application will prompt you to install the external certificate
  • A new jssecacerts should be generated with the external certificates in the same location as the cacerts file
  • Restarting Tomcat will indicate a new trust store: trustStore is: C:\Program Files\Java\jre1.8.0_141\lib\security\jssecacerts
  • Retest the operation that was failing earlier with the PKIX error

 

Let us know if this is successful or not.

 

-- Craig A.

5 replies

Y
yzhang11-VisitorAuthor
1-Visitor
July 17, 2017

The API key needs to be updated, but not influence the result.

P
pcheah10-Marble
10-Marble
August 16, 2017

Hi Ying Nang Zhang,

Is your problem resolved? I have a similar problem here.

T
tcantele1-Visitor
1-Visitor
August 29, 2017

Any response to this? I also am having this problem.

L
LeenaAgarwal5-Regular Member
5-Regular Member
November 30, 2017

Was this on ThinWorx version 8?

I am seeing similar error, not sure what the core issue is?

R
rajunall1-Visitor
1-Visitor
February 28, 2018

Hello,

 

How did you solved the problem?

 

I am having the same problem.

 

Regards,

madhu

    B
    bwirz1-Visitor
    1-Visitor
    March 7, 2018

    I had the same problem (EC2 Amazon Linux server, using TWX 8.1 Docker PostgreSQL), and it was not a self-signed certificate. The following worked for me:

     

    Stop ThingWorx:
    $ docker stop twxfoundation

     

    Go to https://www.target_address.com/ and click on lock icon to view SSL certificates

    Open Certificate and view Certificate Path - download each certificate in that path (Details -> Copy to File). Use first export option (must be X.509 certificate)

     

    Upload downloaded certificates to your ThingWorx server

     

    Import certificates into Docker keystores into TWX server, use following for reference:
    https://adamtuttle.codes/TIL-adding-a-jvm-ssl-cert-docker/
    https://stackoverflow.com/questions/21076179/pkix-path-building-failed-and-unable-to-find-valid-certification-path-to-requ/36427118#36427118

     

    Find keystores in your TWX server (in my case Docker keystores, with a path that included "/docker/overla2"):

    $ sudo find / -iname 'cacerts'

     

    Import each certificate into each keystore, for example (storepass is "changeit" by default):

    $ sudo keytool -importcert -alias myApiCert -keystore "/data/docker/overlay2/blahblah123/diff/opt/jdk1.8.0_92/jre/lib/security/cacerts" -file my_api_cert.cer -noprompt -storepass changeit

    R
    rajunall1-Visitor
    1-Visitor
    March 8, 2018

    Hi, 

    I got this problem, while installing ThingWorx Navigate when connecting to Windchill,

    I have solved it importing the Windchill signing certificate into Java Keystore.

     

     

    Regards,

    madhu

     

    C
    CRArko5-Regular MemberAnswer
    5-Regular Member
    February 28, 2018

    Hi.

     

    With that kind of error reported the cause is often that the certificate is missing from the Java keystore.

     

    Is this a self-signed certificate? If so, try this procedure out:

     

    Import the self-signed certificates from the external server into the ThingWorx trust store using the following steps:

    • Locate trust store used by ThingWorx
      • Enable SSL logging if needed by adding the following parameter: -Djavax.net.debug=ssl
      • Restart Tomcat
      • Review Catalina and stdout logs for the following line:

    trustStore is: C:\Program Files\Java\jre1.8.0_141\lib\security\cacerts

    • Download the InstallCert.java script to the ThingWorx machine in the same location as the cacerts file identified above
    • Execute: javac InstallCert.java
    • Execute: java InstallCert externalserver:port
    • The Java application will prompt you to install the external certificate
    • A new jssecacerts should be generated with the external certificates in the same location as the cacerts file
    • Restarting Tomcat will indicate a new trust store: trustStore is: C:\Program Files\Java\jre1.8.0_141\lib\security\jssecacerts
    • Retest the operation that was failing earlier with the PKIX error

     

    Let us know if this is successful or not.

     

    -- Craig A.

      J
      jxu210-Marble
      10-Marble
      April 12, 2018

      Hi Craig A.,with "java InstallCert externalserver:port",what the "port"should be?Thanks.

      Terms & ConditionsAccessibility statement