Unable to find valid certification path to requested target

[ManojkuSahu]

I have successfully installed fido2 service in the Ubuntu server. Now while execute the get policy command, getting below error.

java -jar skfsclient.jar GP https://fido2l.xxxxxxxxxx.com:8181 1 REST PASSWORD svcfidouser Abcd1234! false 1 1

Copyright (c) 2001-2023 StrongAuth, Inc. All rights reserved.

REST Get policy test with PASSWORD

---

Calling getpolicyinfo @ https://fido2l.xxxxxxxxx.com:8181/skfs/rest/getpolicy Jan 30, 2023 6:12:14 PM com.strongkey.skfsclient.impl.rest.RestFidoGetPolicyInfo getPolicyInfo SEVERE: null javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:353) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:296) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:291) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1416) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:456) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:427) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) at com.strongkey.skfsclient.impl.rest.RestFidoGetPolicyInfo.getPolicyInfo(RestFidoGetPolicyInfo.java:127) at FidoEngine.main(FidoEngine.java:375) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) at java.base/sun.security.validator.Validator.validate(Validator.java:264) at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222) at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) ... 25 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ... 31 more

Get policy response : null

Done with get policy!

[Saebyeol98]

You check about my issue!! https://github.com/StrongKey/fido2/issues/231#issuecomment-1377143218

Solution https://github.com/StrongKey/fido2/issues/231#issuecomment-1378158449

It's work very good

[mansibudhiraja]

Hi @ManojkuSahu,

The error that you see is because the java trustore is missing the TLS certificate that is required to connect to port 8181 on the appliance.

Therefore, you will need to import your TLS server certificate into the truststore used by your JVM and after this, skfsclient should be able to connect to your FIDO server instance without a problem.

You can also view/download the self signed certificate used by SKFS using the following link:

https://docs.strongkey.com/index.php/skfs-home/skfs-how-to/skfs-operations/payara-questions/find-current-self-signed-certificate-used-by-skfs

You can follow the steps listed in the following link to import the server certificate into the client truststore:

https://docs.strongkey.com/index.php/skfs-home/skfs-how-to/skfs-operations/payara-questions/import-certificate-into-client-application-trust-store

Hope this helps !