Avoiding PKIX path building exceptions

We’ve got a legacy monolith Lucee app, and every so often we get these cert errors when doing requests:

Unknown host: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

What seems to solve this is the manual act of going into Server Admin, and entering the domain that is failing, and it will then trust the cert.

Wondering if there’s any way Lucee devs out there keep the certificate chain up to date than anyone can recommend that is more automated and not fail-first?

There are several possibilities of what is happening and it’s hard to prescribe a fix without knowing the issue.

  • The remote server could be using a self-signed cert, and changing it over time
  • The remote server could be using a self-signed cert, and you’re occasionally updating in a manner that reverts your trust store back to the default
  • Your Lucee installation could be very old such that the CA which trusts your remote server is not in Lucee’s trust store (possible, but unlikley)
  • The remote server could have purchased a new cert from a brand new CA, which is not trusted by Lucee’s trust store yet. (not likely)
  • You may have a local network security appliance that implements “SSL Spoofing” by swapping out the real SSL certs for self-signed ones in order to spy on SSL connections. (more common than many people realize in big corporations)

Generally speaking, no SSL reseller is using a CA that isn’t included in most recent trust stores, but it may be helpful the next time this happens to look at the server cert in question and figure out why it’s not trusted as this will help guide you in understanding what’s changing.

You can visit the site in a browser on the machine (if it’s Windows) and look at the cert there, or use the CFML code

dump( sslcertificatelist( 'hostname.com' ) )

to look at what the cert chain is that Lucee is seeing. You can then inspect your trust store (cacerts) with a tool like openssl or Portecle to see if the CA in question is in the trust store, who issued it, and how old it is.

It’s also possible to override the JRE to use its own trust store (or a trust store of your design) instead of the one baked into Lucee (this is the default in Lucee 6) if you update your JRE regularly and you trust your JRE provider to be more proactive in updating root CAs than Lucee.

1 Like