+ Start a Discussion
FilikinFilikin 

unable to find valid certification path to requested target - could Salesforce be caching certs?

Hi,

I know similar questions on this have been asked before, but jus tin case someone has an answer.

I am making SOAP callouts from asynchrous code and it was all working fine until the certs expired on the server I was calling.

 

the certs were replaced, but now I get the following error:

Failed to loginSystem.CalloutException: IO Exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

Is it possible that Salesforce is caching the cert somewhere?

 

I tried deleting the remote site in the security controls and recreating it, but it made no difference.

 

The guy in charge of the server I am calling has come back with this:

I checked the following link: http://wiki.developerforce.com/index.php/Outbound_Messaging_SSL_CA_Certificates

Our certificate was signed by the following root certificate: COMODO High-Assurance Secure Server CA

Which in turn was signed by AddTrust External CA Root

This I can find in the list: http://wiki.developerforce.com/index.php/Outbound_Messaging_SSL_CA_Certificates#addtrustexternalca

 

The values seem to match, so the certificate should be recognised fine.

 

 

Best Answer chosen by Admin (Salesforce Developers) 
chuckmortimorechuckmortimore

We do trust GeoTrust Root CAs - we likely don't trust the Intermediate CA cert that was used to sign your server cert.   It's your responsibility to configure your SSL Endpoint to include the Intermediate CA cert in the cert chain that is presented during the SSL handshake, so that we can walk the chain back to a trusted root.    At the moment you're only exposing your server's cert, and not the intermediate CA.   I suspect this is the issue.

All Answers

chuckmortimorechuckmortimore

It sounds like your SSL endpoint didn't get configured properly when you deployed the new cert.   We only trust Root CA certs in the platform, and it's up to your server to send any required intermediate CA certs during the SSL handshake.   

 

If you configure your endpoint to send the intermediate certs your problem should just go away.

FilikinFilikin

Hi,

this problem is back again - the error is System.CalloutException: IO Exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

But only in production - it works fine in the sandbox.

 

Which to me indicates that the problem is at the Salesforce end

chuckmortimorechuckmortimore

What's the URL you're trying to connect to.   I'll check it out for you

chuckmortimorechuckmortimore

Your SSL Endpoint is mis-configured.   You need to include your intermediate CA cert

 

You can see that you're not sending the intermediate if you run "openssl s_client -showcerts -connect www.visorsoftware.com:443"

 

FilikinFilikin

thanks - why does it work with the sandbox?

chuckmortimorechuckmortimore

In my testing from sandbox, it doesn't.   This is what we see from everyone of our sandboxes.

 

 

got Exception : javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

Remote server's SSL/TLS configuration has one or more errors or warnings
The server's hostname, www.visorsoftware.com, exists in the supported set from the certificate: visorsoftware.com, and www.visorsoftware.com
Error: No certificates in the chain are trusted by Salesforce.com's list of trusted certificate authority certificates

Remote Server Certificate Chain

  1. Subject: CN=www.visorsoftware.com, O=Visor Limited, L=Blackrock, ST=County Dublin, C=IE, SERIALNUMBER=F6DNNpGz8a7qU9xLC5LBZ5cn-cPgzkp0
    Valid between 4/2/2012 9:15:19 AM PDT and 7/4/2013 11:00:30 AM PDT
    Issuer: CN=GeoTrust SSL CA, O="GeoTrust, Inc.", C=US
FilikinFilikin

I am going to gibber quitely in a corner.

 

This code worked last Wednesday in the sandbox, and only failed when I switched to production to demo it to the customer.

But now, as you pointed out, it fails in the sandbox.

 

Is the problem that Salesforce don't trust GeoTrust?

 

chuckmortimorechuckmortimore

We do trust GeoTrust Root CAs - we likely don't trust the Intermediate CA cert that was used to sign your server cert.   It's your responsibility to configure your SSL Endpoint to include the Intermediate CA cert in the cert chain that is presented during the SSL handshake, so that we can walk the chain back to a trusted root.    At the moment you're only exposing your server's cert, and not the intermediate CA.   I suspect this is the issue.

This was selected as the best answer
FilikinFilikin

Many thanks for the help.

The other cloud provider switched servers between me testing with the sandbox and switching to production.

The new server had missed an SSL update from GeoTrust.

Fixed now.

 

Shailendra Singh ParmarShailendra Singh Parmar
Here is blog to troubleshoot this issue.
http://stringclass.blogspot.in/2015/07/troubleshooting-salesforce.html
udaykumar kudaykumar k
one solution i got issue resolved is you need to set proxy settings if you are in restricted network..1) In Eclipse IDE, select “Window –> Preferences”
2) Preferences box prompt out, choose “Network Connections”.
3) Select “Manual” from Action Provider drop down list..Host and proxy values
kouidri nourkouidri nour

I have the same problem, with the following error : System.CalloutException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

do you have a solution please ?
FilikinFilikin
Hi Kouldri, in my case, the problem was with the service provider - he missed an SSL update from GeoTrust and that is what caused the problem.
kouidri nourkouidri nour

Hi Filikin, and thanks for your answer, how did you solve the problem?
FilikinFilikin
I didn't, the service provider did by applying the update he missed