Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED
SSL connection to remote server issue
Hi All,
We have a component working for 8 years, all of a sudden it stops working.
The code is
import org.apache.commons.httpclient.*;
import org.apache.commons.httpclient.methods.*;
import org.apache.commons.httpclient.params.HttpClientParams;
import org.apache.commons.httpclient.params.HttpMethodParams;
....
String remoteUrl = "https://myremotesite.com";
HttpClient client = new HttpClient(clientParams);
HttpMethod method = new GetMethod(remoteUrl);
It throws a javax.net.ssl.SSLHandshakeException as:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
But I can see my SSL certificate under the ssl-service and the URL bar from my publish server.
Also, I tested the code via Unit Test and it works even if I don't have an SSL certificate on my Mac.
I look up this error, it says the certificate can't be picked up by the JDK. Any idea of that how to solve it?
Thanks!
-kt
1 Accepted Solution
Correct answer by
As @pulkitvashisth pointed out this issue typically occurs when the JVM can’t validate the SSL certificate from the server.
I followed the below steps to fix this issue on our on-premise AEM Servers where you can SSH into these AEM servers.
Assuming you are trying to connect to "https://myremotesite.com" from AEM servers:
Run the below command to download the root and intermediate chain certificates.
ssh into AEM server and change directory to /tmp or any other folder where you have write access and run the below command script.
$ openssl s_client -showcerts -verify 5 -connect myremotesite.com:443 < /dev/null | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN CERTIFICATE/){a++}; out="cert"a".pem"; print >out}'
for cert in *.pem; do
newname=$(openssl x509 -noout -subject -in $cert | sed -nE 's/.*CN ?= ?(.*)/\1/; s/[ ,.*]/_/g; s/__/_/g; s/_-_/-/; s/^_//g;p' | tr '[:upper:]' '[:lower:]').pem
echo "${newname}"; mv "${cert}" "${newname}"
done
Next, convert the downloaded certificates from .pem to .der format using the below commands.
$ openssl x509 -outform der -in my_remotesite_ca.pem -out my_remotesite_ca.der
Do the same for other certificates created in this folder.
Lastly, run below keytool commands one-by-one to add entire certificate chain to the java truststore
$ keytool -importcert -trustcacerts -file my_remotesite_ca.der -alias my_remotesite_root -keystore <javaInstallationPath>/jre/lib/security/cacerts -storepass changeit
Hope this helps!
@kevingtan Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.
Kautuk Sahni
Correct answer by
As @pulkitvashisth pointed out this issue typically occurs when the JVM can’t validate the SSL certificate from the server.
I followed the below steps to fix this issue on our on-premise AEM Servers where you can SSH into these AEM servers.
Assuming you are trying to connect to "https://myremotesite.com" from AEM servers:
Run the below command to download the root and intermediate chain certificates.
ssh into AEM server and change directory to /tmp or any other folder where you have write access and run the below command script.
$ openssl s_client -showcerts -verify 5 -connect myremotesite.com:443 < /dev/null | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN CERTIFICATE/){a++}; out="cert"a".pem"; print >out}'
for cert in *.pem; do
newname=$(openssl x509 -noout -subject -in $cert | sed -nE 's/.*CN ?= ?(.*)/\1/; s/[ ,.*]/_/g; s/__/_/g; s/_-_/-/; s/^_//g;p' | tr '[:upper:]' '[:lower:]').pem
echo "${newname}"; mv "${cert}" "${newname}"
done
Next, convert the downloaded certificates from .pem to .der format using the below commands.
$ openssl x509 -outform der -in my_remotesite_ca.pem -out my_remotesite_ca.der
Do the same for other certificates created in this folder.
Lastly, run below keytool commands one-by-one to add entire certificate chain to the java truststore
$ keytool -importcert -trustcacerts -file my_remotesite_ca.der -alias my_remotesite_root -keystore <javaInstallationPath>/jre/lib/security/cacerts -storepass changeit
Hope this helps!
This happens when organization's VPN and certificate chain is updated. The browser automatically acquire the SSL certificates and validates using the updated certificate chain but sometimes we need to manually validate the certificate and add it to java truststore.
The best way to validate the certificate chain of given website in these cases is to run the curl command with verbose on from the AEM Server machine to see the entire SSL handshake.
curl -v https://mywebsite.com
