Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Current »

This article provides guidance and troubleshooting tips for addressing SSL issues in Smart ID Digital Access component.

Problem

The error you are encountering, SunCertPathBuilderException: unable to find valid certification path to requested target, typically occurs when Java is unable to establish a secure connection because it cannot find a valid certification path to the SSL certificate presented by the target server. This usually happens due to one of the following reasons.

  • The root CA certificate has not been included as a trusted CA certificate in Digital Access.

  • The intermediate CA certificates are not being presented by the remote server.

  • The root CA certificate has been cross signed by another CA.

Action

To address this issue, you can try the following steps

  1. You can add the root CA certificate to the trusted CA certificates list in Digital Access.

  2. You can ensure that the intermediate CA certificates are properly configured and presented by the remote server. If the intermediate CA certificates are missing, they should be obtained from the Certificate Authority and properly installed on the server.

  3. You can confirm that both cross-signed certificates are included in the trust store of the systems where verification is required.

Troubleshoot using OpenSSL

Ensure that trust store contains the root CA , Intermediate and public server certificate for the SSL handshake to success. You may need to obtain the certificates chain from the server administrator and import it into trust store.

Fetching certificates using OpenSSL

  1. Ensure you have ‘OpenSSL‘ utility in your system.

  2. Type this command: (replace x with appropriate IP address).

openssl s_client -connect 192.168.x.xxx:443 -showcerts
  1. Copy the public certificate and its chain. Create a .cer file out of it and add it into the Digital Access’s trust store.

 Sample output shown as below
Certificate chain
 0 s:CN=www.google.com
   i:C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar  4 07:19:07 2024 GMT; NotAfter: May 27 07:19:06 2024 GMT
-----BEGIN CERTIFICATE-----
MIIEijCCA3KgAwIBAgIRAP4dE5JhiucMEGWQKlXQQa0wDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
TEMxEzARBgNVBAMTCkdUUyBDQSAxQzMwHhcNMjQwMzA0MDcxOTA3WhcNMjQwNTI3
MDcxOTA2WjAZMRcwFQYDVQQDEw53d3cuZ29vZ2xlLmNvbTBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABMMDSQ2mMkIXUjnAeS3yfWjwitq5YVFHILRKzj3K431rP+/j
FAXZijbgZP+mm7nfJJsy+TXaYgO01q5IdDVDqBWjggJpMIICZTAOBgNVHQ8BAf8E
BAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
FgQUV/1e5rYZ0yR7pC592IZRcCllWLowHwYDVR0jBBgwFoAUinR/r4XN7pXNPZzQ
4kYU83E1HScwagYIKwYBBQUHAQEEXjBcMCcGCCsGAQUFBzABhhtodHRwOi8vb2Nz
cC5wa2kuZ29vZy9ndHMxYzMwMQYIKwYBBQUHMAKGJWh0dHA6Ly9wa2kuZ29vZy9y
ZXBvL2NlcnRzL2d0czFjMy5kZXIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20w
IQYDVR0gBBowGDAIBgZngQwBAgEwDAYKKwYBBAHWeQIFAzA8BgNVHR8ENTAzMDGg
L6AthitodHRwOi8vY3Jscy5wa2kuZ29vZy9ndHMxYzMvemRBVHQwRXhfRmsuY3Js
MIIBBgYKKwYBBAHWeQIEAgSB9wSB9ADyAHcASLDja9qmRzQP5WoC+p0w6xxSActW
3SyB2bu/qznYhHMAAAGOCIuRPAAABAMASDBGAiEAn1g5+kQpvQpi3+hvUTOSufLt
kTAJGJhKAjtjqx+N7/0CIQCGvjaQJIDJtjzgAZCnj4TpzNOBFLWRqGjR+IfDXRzy
mgB3AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABjgiLkRcAAAQD
AEgwRgIhANSmnt2rCCaon3Tlu4rKuxixvrBxMM2VuHeFP9JpvWa/AiEAoPH+GHpK
WDN4pvPqRvYweky6Ud6mH/RD0x3uiV/8p0owDQYJKoZIhvcNAQELBQADggEBAL7C
TTtTWrnwz16zmWgr4LDCacIEPO7tiWikxijBneH5odCyoKYfOHmJeMRLTCELAo9e
EUT00UBv+C+IuTQYqznd26c7FaIfJMa7t+sCFid+QDTISyAbgzgUE/7i9iYBwteD
PzcEENWXO/ctzGxHqNwA2XBZNNyIhpNQvxHSZ9S36nsOk4fiTnirUMOrXZKfp60j
qbcyShje65KcwHccLZWlETXGI8uhYD3zkDbRBPXMy0Z1TIhHTKwE+SKSQUBIoRKS
QqN3IYXEpzXTpoo182hRXwGNc6oCkZumqmtXsVC7oZRU3Kb1A/lO2DG8yIA91Ixy
EoACZYQWDlFet3okex8=
-----END CERTIFICATE-----
 1 s:C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
   i:C=US, O=Google Trust Services LLC, CN=GTS Root R1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 13 00:00:42 2020 GMT; NotAfter: Sep 30 00:00:42 2027 GMT

Additional checks

Check Network Configuration

Sometimes, SSL errors can be caused by network issues such as proxy misconfigurations or firewall restrictions. Make sure your network configuration allows connections to the target server.

Review Logs

Look at the application logs for more specific information about the SSL error. It might provide additional clues about what's causing the issue.

  • No labels