I have a web service that had been working fine while we were on Java 7 version 75. We recently updated to Java 8 and now we are getting this error on the web service: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This is the full dump:
Charset [empty string]
ErrorDetail I/O Exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Filecontent Connection Failure
Header [empty string]
Mimetype Unable to determine MIME type of file.
Responseheader ws dump - struct [empty]
Statuscode Connection Failure. Status code unavailable.
Text YES
We have updated the certificates and the certificates have been re-imported in the correct key store and verified it's there using keytool -list and restarted, but still get the authentication error.
I see this is usually fixed by re-installing the certificate but that hasn't worked. Many suggestions to fix this error recommended installing Certman in CF Admin. We installed it and imported the certificates, but still the same error. Our workaround is rolling back to Java 7 version 75 so this web service works, but we need to update to the latest version of Java soon so our charts can work again and obviously for security reasons. Any suggestions?
Stats:
Java Dev Kit 8 v 60, ColdFusion 10 hotfix 17, Windows Server 8
****UPDATE***** After reading Sean Coyne's answer below I talked to our Network Admin's. They had already copied the tools.jar file into the lib folder. They deleted the stubs folder and restarted the CF server, but we still got the same error. I visited with them and they showed me that the certificates were indeed in the keystore.
As described here: https://helpx.adobe.com/coldfusion/kb/coldfusion-mx-troubleshooting-scheduled-tasks.html We added some debugging to jvim.config as I ran the web service. The debugging pointed out that the handshake with one of the certificates was invalid. What the heck!
I asked if we could see the certs in the Certificate Manager in CF Admin. It was NOT installed after all. So the NA installed the CertMan add on in CF Admin. After importing the certificates using CertMan and restarting the CF server, the web service worked after that.
I think doing what Sean Coyne suggested below AND making sure CertMan was installed so we could import the certificates was what fixed it for us.
You may need to delete the stubs. These are in [cfroot]/cfusion/stubs
. Just stop CF, delete all the files in that directory and start CF again.
Also, you will want to copy the tools.jar file from your JDK installation into the lib folder at [cfroot]/cfusion/lib/tools.jar
. Backup the existing tools.jar file first then copy from [jdk root]/lib/tools.jar
.
Reference: http://blogs.coldfusion.com/post.cfm/coldfusion-10-and-11-support-with-java-8
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With