Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

SSL issues

Owned by Ylva Andersson
Last updated: May 30, 2024 by Aishwarya Arivazhagan (Deactivated)
2 min read

This article provides guidance and troubleshooting tips for addressing SSL issues in Smart ID Digital Access component.

Problem

The error you are encountering, SunCertPathBuilderException: unable to find valid certification path to requested target, typically occurs when Java is unable to establish a secure connection because it cannot find a valid certification path to the SSL certificate presented by the target server. This usually happens due to one of the following reasons.

  • The root CA certificate has not been included as a trusted CA certificate in Digital Access.

  • The intermediate CA certificates are not being presented by the remote server.

  • The root CA certificate has been cross signed by another CA.

Action

To address this issue, you can try the following steps

  1. You can add the root CA certificate to the trusted CA certificates list in Digital Access.

  2. You can ensure that the intermediate CA certificates are properly configured and presented by the remote server. If the intermediate CA certificates are missing, they should be obtained from the Certificate Authority and properly installed on the server.

  3. You can confirm that both cross-signed certificates are included in the trust store of the systems where verification is required.

Troubleshoot using OpenSSL

Ensure that trust store contains the root CA , Intermediate and public server certificate for the SSL handshake to success. You may need to obtain the certificates chain from the server administrator and import it into trust store.

Fetching certificates using OpenSSL

  1. Ensure you have ‘OpenSSL‘ utility in your system.

  2. Type this command: (replace x with appropriate IP address).

openssl s_client -connect 192.168.x.xxx:443 -showcerts

  1. Copy the public certificate and its chain. Create a .cer file out of it and add it into the Digital Access’s trust store.

Certificate chain 0 s:CN=www.google.com i:C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256 v:NotBefore: Mar 4 07:19:07 2024 GMT; NotAfter: May 27 07:19:06 2024 GMT -----BEGIN CERTIFICATE----- MIIEijCCA3KgAwIBAgIRAP4dE5JhiucMEGWQKlXQQa0wDQYJKoZIhvcNAQELBQAw RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM TEMxEzARBgNVBAMTCkdUUyBDQSAxQzMwHhcNMjQwMzA0MDcxOTA3WhcNMjQwNTI3 MDcxOTA2WjAZMRcwFQYDVQQDEw53d3cuZ29vZ2xlLmNvbTBZMBMGByqGSM49AgEG CCqGSM49AwEHA0IABMMDSQ2mMkIXUjnAeS3yfWjwitq5YVFHILRKzj3K431rP+/j FAXZijbgZP+mm7nfJJsy+TXaYgO01q5IdDVDqBWjggJpMIICZTAOBgNVHQ8BAf8E BAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4E FgQUV/1e5rYZ0yR7pC592IZRcCllWLowHwYDVR0jBBgwFoAUinR/r4XN7pXNPZzQ 4kYU83E1HScwagYIKwYBBQUHAQEEXjBcMCcGCCsGAQUFBzABhhtodHRwOi8vb2Nz cC5wa2kuZ29vZy9ndHMxYzMwMQYIKwYBBQUHMAKGJWh0dHA6Ly9wa2kuZ29vZy9y ZXBvL2NlcnRzL2d0czFjMy5kZXIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20w IQYDVR0gBBowGDAIBgZngQwBAgEwDAYKKwYBBAHWeQIFAzA8BgNVHR8ENTAzMDGg L6AthitodHRwOi8vY3Jscy5wa2kuZ29vZy9ndHMxYzMvemRBVHQwRXhfRmsuY3Js MIIBBgYKKwYBBAHWeQIEAgSB9wSB9ADyAHcASLDja9qmRzQP5WoC+p0w6xxSActW 3SyB2bu/qznYhHMAAAGOCIuRPAAABAMASDBGAiEAn1g5+kQpvQpi3+hvUTOSufLt kTAJGJhKAjtjqx+N7/0CIQCGvjaQJIDJtjzgAZCnj4TpzNOBFLWRqGjR+IfDXRzy mgB3AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABjgiLkRcAAAQD AEgwRgIhANSmnt2rCCaon3Tlu4rKuxixvrBxMM2VuHeFP9JpvWa/AiEAoPH+GHpK WDN4pvPqRvYweky6Ud6mH/RD0x3uiV/8p0owDQYJKoZIhvcNAQELBQADggEBAL7C TTtTWrnwz16zmWgr4LDCacIEPO7tiWikxijBneH5odCyoKYfOHmJeMRLTCELAo9e EUT00UBv+C+IuTQYqznd26c7FaIfJMa7t+sCFid+QDTISyAbgzgUE/7i9iYBwteD PzcEENWXO/ctzGxHqNwA2XBZNNyIhpNQvxHSZ9S36nsOk4fiTnirUMOrXZKfp60j qbcyShje65KcwHccLZWlETXGI8uhYD3zkDbRBPXMy0Z1TIhHTKwE+SKSQUBIoRKS QqN3IYXEpzXTpoo182hRXwGNc6oCkZumqmtXsVC7oZRU3Kb1A/lO2DG8yIA91Ixy EoACZYQWDlFet3okex8= -----END CERTIFICATE----- 1 s:C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 i:C=US, O=Google Trust Services LLC, CN=GTS Root R1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Aug 13 00:00:42 2020 GMT; NotAfter: Sep 30 00:00:42 2027 GMT

Additional checks

Check Network Configuration

Sometimes, SSL errors can be caused by network issues such as proxy misconfigurations or firewall restrictions. Make sure your network configuration allows connections to the target server.

Review Logs

Look at the application logs for more specific information about the SSL error. It might provide additional clues about what's causing the issue.

Related information

Add certificates in Digital Access

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions