Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

CAS SunCertPathBuilderException:unable to find valid certification path to requested target

Tags:

java

ssl

ssl-certificate

tomcat

cas

I have CAS configured in my computer to work on a particular domain (say a.com) which works fine. There I had a pair of .crt and .key files along with the code. Now there has been a need to change the domain, so what I did was, changed the domain (say b.com) in the source code accordingly and imported the .crt and .key files I have received. Now, when I access the CAS login page I can access that. But when I provide the login credentials and click on the login button, it fails with the following exception.

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
    sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    sun.security.validator.Validator.validate(Validator.java:260)
    sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
    sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
    sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
    sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
    sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
    sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
    sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
    sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
    sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546)
    sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
    sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
    org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:429)
    org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41)
    org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193)
    org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:158)
    org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:143)
    org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
    org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:270)
    org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:121)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:121)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
    org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
    org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)

Can someone please tell me what the heck is going on here? I have seen a lot of similar questions but none seemed to address my scenario.

like image 766
Romeo Sierra Avatar asked Oct 30 '25 22:10

Romeo Sierra

1 Answers

Turns out to be a problem with my Tomcat configuration. Even though I have imported the keys into the keystore, the keystore was not being accessed by tomcat, leading to a failure to read the certificate.

Seems like this applies to those who download and extract binaries of tomcat distributions instead of using a package manager such as apt-get.

Two possible options are there currently (there may be more).

  1. Modifying the catalina.sh to add the property -Djavax.net.ssl.trustStore to include the required trust store file. Basically, the property and the value are appended to the JAVA_OPTS variable in the above script. E.g. JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts".However this is just a quick fix. I don't think that this is a good solution because the trust store is being added globally.
  2. Adding the keystore location to the connector attribute in server.xml configuration file. Examples could be found at here.

I now realize that this is a very simple fundamental problem. But for the sake of supporting the learners I thought of leaving the question and the answer. Please improve this answer further.

like image 61
Romeo Sierra Avatar answered Nov 02 '25 13:11

Romeo Sierra
Sign in to Comment

Related questions

What is the purpose of TaskExecutor in spring?
Easiest way to calculate offset between two timezones Scala/Java
QueryDsl how to use exist() to return boolean
How to generate JSON Stringer in Android for this format
Android 11, can start intent to share file but file is not attatched
In-line string substitution in Java?
How to only open an existing file in java [duplicate]
Retrieve mouse position in JavaFX without event
Google API not recognized by IDE/Maven
Runtime Exception using Glide Image Load setDataSource failed: status =
Cannot find 'javaxt-core' on Maven Repo

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!