"PKIX path building failed" and "unable to find valid certification path to requested target"

Question

I'm trying to get tweets using twitter4j library for my java project which uses under the covers java.net.HttpURLConnection (as can be seen in stack trace). On my first run I got an error about certificate sun.security.validator.ValidatorException and sun.security.provider.certpath.SunCertPathBuilderException. Then I added twitter certificate by:

C:\Program Files\Java\jdk1.7.0_45\jre\lib\security>keytool -importcert -trustcacerts -file PathToCert -alias ca_alias -keystore "C:\Program Files\Java\jdk1.7.0_45\jre\lib\security\cacerts" 

But without success. Here is the procedure to get tweets:

public static void main(String[] args) throws TwitterException {     ConfigurationBuilder cb = new ConfigurationBuilder();     cb.setDebugEnabled(true)         .setOAuthConsumerKey("myConsumerKey")         .setOAuthConsumerSecret("myConsumerSecret")         .setOAuthAccessToken("myAccessToken")         .setOAuthAccessTokenSecret("myAccessTokenSecret");          TwitterFactory tf = new TwitterFactory(cb.build());     Twitter twitter = tf.getInstance();          try {         Query query = new Query("iphone");         QueryResult result;         result = twitter.search(query);         System.out.println("Total amount of tweets: " + result.getTweets().size());         List<Status> tweets = result.getTweets();                  for (Status tweet : tweets) {             System.out.println("@" + tweet.getUser().getScreenName() + " : " + tweet.getText());         }     } catch (TwitterException te) {         te.printStackTrace();         System.out.println("Failed to search tweets: " + te.getMessage());     } 

And here is the error:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Relevant discussions can be found on the Internet at:     http://www.google.co.jp/search?q=d35baff5 or     http://www.google.co.jp/search?q=1446302e TwitterException{exceptionCode=[d35baff5-1446302e 43208640-747fd158 43208640-747fd158 43208640-747fd158], statusCode=-1, message=null, code=-1, retryAfter=-1, rateLimitStatus=null, version=3.0.5}     at twitter4j.internal.http.HttpClientImpl.request(HttpClientImpl.java:177)     at twitter4j.internal.http.HttpClientWrapper.request(HttpClientWrapper.java:61)     at twitter4j.internal.http.HttpClientWrapper.get(HttpClientWrapper.java:81)     at twitter4j.TwitterImpl.get(TwitterImpl.java:1929)     at twitter4j.TwitterImpl.search(TwitterImpl.java:306)     at jku.cc.servlets.TweetsAnalyzer.main(TweetsAnalyzer.java:38) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target     at sun.security.ssl.Alerts.getSSLException(Unknown Source)     at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)     at sun.security.ssl.Handshaker.fatalSE(Unknown Source)     at sun.security.ssl.Handshaker.fatalSE(Unknown Source)     at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)     at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)     at sun.security.ssl.Handshaker.processLoop(Unknown Source)     at sun.security.ssl.Handshaker.process_record(Unknown Source)     at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)     at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)     at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)     at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)     at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)     at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)     at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)     at java.net.HttpURLConnection.getResponseCode(Unknown Source)     at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)     at twitter4j.internal.http.HttpResponseImpl.<init>(HttpResponseImpl.java:34)     at twitter4j.internal.http.HttpClientImpl.request(HttpClientImpl.java:141)     ... 5 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target     at sun.security.validator.PKIXValidator.doBuild(Unknown Source)     at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)     at sun.security.validator.Validator.validate(Unknown Source)     at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)     at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)     at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)     ... 20 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target     at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)     at java.security.cert.CertPathBuilder.build(Unknown Source)     ... 26 more Failed to search tweets: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 

Answer 1

1. Go to URL in your browser:

• firefox - click on HTTPS certificate chain (the lock icon right next to URL address). Click "more info" > "security" > "show certificate" > "details" > "export..". Pickup the name and choose file type example.cer
• chrome - click on site icon left to address in address bar, select "Certificate" -> "Details" -> "Export" and save in format "Der-encoded binary, single certificate".

2. Now you have file with keystore and you have to add it to your JVM. Determine location of cacerts files, eg. C:\Program Files (x86)\Java\jre1.6.0_22\lib\security\cacerts.

3. Next import the example.cer file into cacerts in command line (may need administrator command prompt):

keytool -import -alias example -keystore "C:\Program Files (x86)\Java\jre1.6.0_22\lib\security\cacerts" -file example.cer

You will be asked for password which default is changeit

Restart your JVM/PC.

source: http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html

Answer 2

After many hours trying to build cert files to get my Java 6 installation working with the new twitter cert's, I finally stumbled onto an incredibly simple solution buried in a comment in one of the message boards. Just copy the cacerts file from a Java 7 installation and overwrite the one in your Java 6 installation. Probably best to make a backup of the cacerts file first, but then you just copy the new one in and BOOM! it just works.

Note that I actually copied a Windows cacerts file onto a Linux installation and it worked just fine.

The file is located in jre/lib/security/cacerts in both the old and new Java jdk installations.

Hope this saves someone else hours of aggravation.