Tag Archives: keytool

Keytool: How to solve javax.net.ssl.SSLHandshakeException Error?

A java microservice function exception in the environment, look at the logs reporting errors.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Reason: The self-signed certificate used by the customer is not trusted by jdk.

Import the customer domain SSL certificate into jdk library.

# export LANG=”en_US.UTF-8″
# openssl s_client -connect www.example.com:443 < /dev/null | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ > www.example.com.crt
# keytool -import  -file  www.example.com.crt  -alias  www.example.com  -keystore $JAVA_HOME/jre/lib/security/cacerts  –storepass “changeit” –noprompt   -trustcacerts

Restart the relevant java application and solve it.

keytool error: java.lang.Exception: Failed to establish chain from reply

During the process of CDH cluster encryption, the following error occurred when the signed certificate information was imported into the secret key library
keytool error: java.lang.Exception: Failed to establish chain from reply
Didn’t solve the problem, find a lot of articles, baidu search to an article in English https://www.veritas.com/support/en_US/article.000021204 later
The following is mentioned:

Problem
When importing an SSL certificate to Clearwell’s keystore, an error is encountered.
Error Message
keytool error: java.lang.Exception: Failed to establish chain from reply
Cause
Root and/or Intermediate certificates have not been imported order.

I checked that I commented out the original step and did not execute it
That is, import the self-signed certificate (that is, my root certificate) information into the server secret key library
Modify the following, perform this step first, then perform normal.
Summary: The order in which certificates are imported into the secret key library is important, and if there is a root certificate or a multi-level certificate authority, they must be imported level by level from top to bottom.