1

I'm trying to load a page through SSL, and I'm getting this error:

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Of course, I researched about it and it has something to do with the certificate of the page not being included in the java distribution I downloaded. Here's the ceritifcate hierarchy for the site I'm loading:

enter image description here

The first one (global sign) is, of course, included in the system. But what is "Trusted Root CA SHA256 G2"? Firefox says it's signed by GlobalSign. Also, could ICPEdu be the missing certificate? If so, how do I add it to the list of trusted certificates inside my java code?

But wait a moment... Since GlobalSign is trusted, shouldn't every certificate below be trusted too?

As pointed in the answer, here's the ssl debug:

Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://secure.globalsign.com/cacert/icpedusha2g2.crt
, 
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp2.globalsign.com/icpedusha2g2
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 95 F0 A4 84 1A A7 5C 20   36 A6 C5 08 D7 65 42 02  ......\ 6....eB.
0010: E5 77 68 E3                                        .wh.
]
]

[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.globalsign.com/gs/icpedusha2g2.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.2]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 26 68 74 74 70 73 3A   2F 2F 77 77 77 2E 67 6C  .&https://www.gl
0010: 6F 62 61 6C 73 69 67 6E   2E 63 6F 6D 2F 72 65 70  obalsign.com/rep
0020: 6F 73 69 74 6F 72 79 2F                            ository/

]]  ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: www.parthenon.biblioteca.unesp.br
  DNSName: parthenon.biblioteca.unesp.br
]

[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 6D BE 57 72 E3 B5 BD A2   0E 16 E3 A9 2F 8B E7 87  m.Wr......../...
0010: F1 4B 27 75                                        .K'u
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 2D 83 5B 63 56 82 77 74   FB EF 40 C1 7A 88 9B 1B  -.[cV.wt..@.z...
0010: 34 37 79 4E 28 A4 79 18   69 25 FE 52 90 B4 79 B7  47yN(.y.i%.R..y.
0020: 90 00 58 CE 21 E6 96 BC   E7 5B C3 5D 41 38 51 5E  ..X.!....[.]A8Q^
0030: B5 DA D2 EA F6 44 83 FA   B7 A8 66 90 77 C9 96 3D  .....D....f.w..=
0040: 72 AE 05 5C F2 19 AE 36   43 F6 A5 DF E2 E5 F8 50  r..\...6C......P
0050: D3 CC EF AE 79 29 19 F6   F8 63 C0 26 E9 0C FA 86  ....y)...c.&....
0060: 30 1D BF 00 69 C8 E9 B5   B6 16 BE 6B 5F 63 5B AD  0...i......k_c[.
0070: F5 B4 18 82 0C 53 ED 36   AB 38 61 8B 80 C9 8C 62  .....S.6.8a....b
0080: E6 20 E3 CB 5A 2A 91 C2   CA 6A BE 31 B6 CB 65 57  . ..Z*...j.1..eW
0090: 33 47 43 9A B4 33 5B 45   D9 5E ED C6 7C 2B 0D B3  3GC..3[E.^...+..
00A0: E6 4C 5F 85 EF D0 BE CD   02 1B 6B C1 06 2F 7B F6  .L_.......k../..
00B0: C0 B7 C4 68 F1 F6 92 2B   A4 B6 85 08 32 7C 8D 9F  ...h...+....2...
00C0: 34 7D 08 5B B4 05 51 C8   E6 C4 29 86 04 32 FA 2B  4..[..Q...)..2.+
00D0: 18 42 56 43 88 DB EE 32   5F CE 8D 88 5E 91 C1 72  .BVC...2_...^..r
00E0: CB 0F FE F3 CA 55 D3 A4   40 57 E0 13 03 3F C9 16  .....U..@W...?..
00F0: 1F FC 31 28 CB 68 06 9F   0F 3A D2 3A 91 65 B2 D8  ..1(.h...:.:.e..

]
***
%% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
main, SEND TLSv1 ALERT:  fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
main, called close()
main, called closeInternal(true)
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Gatonito
  • 522
  • 1
  • 9
  • 26
  • It is enough to have the CA root in cacerts. Assuming that GlobalSign is included, the problem may be that the server is not sending the full chain. I suggest you download it and check if the 4 certificates are present – pedrofb Jun 06 '16 at 06:59

2 Answers2

1

The server is www.parthenon.biblioteca.unesp.br is not sending its intermediate certificates in the handshake.

SSL Labs result showing incomplete cert chain

The server admin can correct this by supplying the missing intermediate certificates in the server config.

Anand Bhat
  • 4,998
  • 25
  • 30
  • I don't have contact with the administrator and I'm doing a webcrawler... How do I add trust to these specifics fingerprints? Also, why my firefox don't give some bizarre error? – Gatonito Jun 07 '16 at 23:25
  • I mean, I know or I at least believe that this fingerprint is the one signed by globalSign, so I know I'd be taking risks but everybody logs in via HTTP anyways, I'd be doing the best I can by trusting only the fingerprints signed by globalSign, no matter if its revoked by now, understand? How do I accept a fingerprint? – Gatonito Jun 08 '16 at 01:56
  • You can add this certificate to your Java trust store (see https://stackoverflow.com/questions/2893819/telling-java-to-accept-self-signed-ssl-certificate). Firefox and some other browsers have a functionality that allows them to fetch missing certificates to chain up to a trusted root (AIA chasing). – Anand Bhat Jun 08 '16 at 02:57
  • In order to add it to the trust store I must have the cerificate, right? How I'm gonna get it if the server doesn't delivers it? Also, I needed a way to add them at runtime (by code), because this app will run in different devices. – Gatonito Jun 08 '16 at 19:45
0

I think the best thing for you would be to take a look at exactly what is sent from the server to the client. You can get the certificate chain sent to the browser and parse it using openSSL or better yet through online parsers like: http://developerutils.com/X509CertificateDecoder.php

And you can add to the server logging options: -Djavax.net.debug=ssl,handshake to see the entire handshake process.

This should help you figure out exactly what's going on.

Regarding the chain itself: it a chain is sent and the root of the chain is in the list of trusted CAs, the rest of the chain is trusted - unless one of the certificates in the chain is revoked or expired.

Ravivm
  • 46
  • 2
  • but globalsign for sure is trusted... i'm gonna debug the handshake process – Gatonito Jun 05 '16 at 15:45
  • I updated. It appears that the problem is with the second certificate, am I right? and why does it have a name so crazy like this? what is this certificate? – Gatonito Jun 05 '16 at 15:51
  • also, if some certificate were revoked or expired it wouldn't be accepted in firefox – Gatonito Jun 05 '16 at 21:22