JDK8 -> JDK10: PKIX path building failed: SunCertPathBuilderException: unable to find valid certification path to requested target









up vote
0
down vote

favorite












Problem



  • I have a SpringBoot application using an app called Launchdarkly, which makes use of okhttp

  • I'm migrating from JRE 8 to JRE 10, calls to other resources work, but fails in calls made using okhttp

EDIT: This could happen with any app that has a certificate chain similar to the one used by our app.



javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target



Exception



The error occurs in thie thread... 



config-server_1 | 2018-11-10T21:25:19,147 67327 | DEBUG | okhttp-eventsource- ["okhttp-eventsource-stream--0" ] Connection problem.
config-server_1 | javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
config-server_1 | at sun.security.ssl.Alerts.getSSLException(Alerts.java:198) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1974) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:345) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:339) ~[?:?]
config-server_1 | at sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1968) ~[?:?]
config-server_1 | at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1777) ~[?:?]
config-server_1 | at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:264) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1098) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.processRecord(Handshaker.java:1026) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1429) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[?:?]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:281) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:251) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.connect(RealConnection.java:151) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:195) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]


Setup



  • Using jlink and selecting modules to build a small JRE

    • Installed using Docker at https://dev.to/gimlet2/dockerizing-java-10-spring-boot-app-3b4c

    • Current app runs on JRE8 in Docker (same base image)


  • I only have JAVA_HOME set... Not sure if we need anything else

Java 10 version details



Installed using the method above



root@e0776fd790e7:/runtime# ls -la /etc/ssl/certs/java/cacerts
-rw-r--r-- 1 root root 177280 Oct 29 16:29 /etc/ssl/certs/java/cacerts
root@e0776fd790e7:/runtime# java -version
openjdk version "10" 2018-03-20
OpenJDK Runtime Environment 18.3 (build 10+46)
OpenJDK 64-Bit Server VM 18.3 (build 10+46, mixed mode)


Keystore is set



The java 10 keystore can see it



root@17000659d1ec:/runtime# keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 80 entries


This is as described at https://dzone.com/articles/openjdk-10-now-includes-root-ca-certificates



Attempts



  • I'd like to learn if there's anything you can help

    • Coming from Unable to find valid certification path to requested target - error even after cert imported


  • Tried to call cacerts from java 8 to java 10










  • Tried to symlink or copy cacerts from JRE dir to /etc/ssl/certs/java/cacerts WORKS! ALONG WITH COPYING FROM JDK 8











  • Tried setting -Djavax.net.ssl.trustStore=/opt/jdk-minimal/jre/lib/security/cacerts

EDIT: See my answer






java ssl ssl-certificate okhttp







share|improve this question



















  • 1




    I would avoid Java 10 as it us eol. Java 11 shouldn't be much harder to migrate too.
    – Peter Lawrey
    Nov 11 at 10:34










  • @PeterLawrey yeah definitely... Just keeping this documented while we walk towards it...!
    – Marcello de Sales
    Nov 11 at 17:24














up vote
0
down vote

favorite












Problem



  • I have a SpringBoot application using an app called Launchdarkly, which makes use of okhttp

  • I'm migrating from JRE 8 to JRE 10, calls to other resources work, but fails in calls made using okhttp

EDIT: This could happen with any app that has a certificate chain similar to the one used by our app.



javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target



Exception



The error occurs in thie thread... 



config-server_1 | 2018-11-10T21:25:19,147 67327 | DEBUG | okhttp-eventsource- ["okhttp-eventsource-stream--0" ] Connection problem.
config-server_1 | javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
config-server_1 | at sun.security.ssl.Alerts.getSSLException(Alerts.java:198) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1974) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:345) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:339) ~[?:?]
config-server_1 | at sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1968) ~[?:?]
config-server_1 | at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1777) ~[?:?]
config-server_1 | at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:264) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1098) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.processRecord(Handshaker.java:1026) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1429) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[?:?]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:281) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:251) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.connect(RealConnection.java:151) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:195) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]


Setup



  • Using jlink and selecting modules to build a small JRE

    • Installed using Docker at https://dev.to/gimlet2/dockerizing-java-10-spring-boot-app-3b4c

    • Current app runs on JRE8 in Docker (same base image)


  • I only have JAVA_HOME set... Not sure if we need anything else

Java 10 version details



Installed using the method above



root@e0776fd790e7:/runtime# ls -la /etc/ssl/certs/java/cacerts
-rw-r--r-- 1 root root 177280 Oct 29 16:29 /etc/ssl/certs/java/cacerts
root@e0776fd790e7:/runtime# java -version
openjdk version "10" 2018-03-20
OpenJDK Runtime Environment 18.3 (build 10+46)
OpenJDK 64-Bit Server VM 18.3 (build 10+46, mixed mode)


Keystore is set



The java 10 keystore can see it



root@17000659d1ec:/runtime# keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 80 entries


This is as described at https://dzone.com/articles/openjdk-10-now-includes-root-ca-certificates



Attempts



  • I'd like to learn if there's anything you can help

    • Coming from Unable to find valid certification path to requested target - error even after cert imported


  • Tried to call cacerts from java 8 to java 10










  • Tried to symlink or copy cacerts from JRE dir to /etc/ssl/certs/java/cacerts WORKS! ALONG WITH COPYING FROM JDK 8











  • Tried setting -Djavax.net.ssl.trustStore=/opt/jdk-minimal/jre/lib/security/cacerts

EDIT: See my answer






java ssl ssl-certificate okhttp







share|improve this question



















  • 1




    I would avoid Java 10 as it us eol. Java 11 shouldn't be much harder to migrate too.
    – Peter Lawrey
    Nov 11 at 10:34










  • @PeterLawrey yeah definitely... Just keeping this documented while we walk towards it...!
    – Marcello de Sales
    Nov 11 at 17:24












up vote
0
down vote

favorite









up vote
0
down vote

favorite











Problem



  • I have a SpringBoot application using an app called Launchdarkly, which makes use of okhttp

  • I'm migrating from JRE 8 to JRE 10, calls to other resources work, but fails in calls made using okhttp

EDIT: This could happen with any app that has a certificate chain similar to the one used by our app.



javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target



Exception



The error occurs in thie thread... 



config-server_1 | 2018-11-10T21:25:19,147 67327 | DEBUG | okhttp-eventsource- ["okhttp-eventsource-stream--0" ] Connection problem.
config-server_1 | javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
config-server_1 | at sun.security.ssl.Alerts.getSSLException(Alerts.java:198) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1974) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:345) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:339) ~[?:?]
config-server_1 | at sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1968) ~[?:?]
config-server_1 | at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1777) ~[?:?]
config-server_1 | at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:264) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1098) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.processRecord(Handshaker.java:1026) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1429) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[?:?]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:281) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:251) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.connect(RealConnection.java:151) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:195) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]


Setup



  • Using jlink and selecting modules to build a small JRE

    • Installed using Docker at https://dev.to/gimlet2/dockerizing-java-10-spring-boot-app-3b4c

    • Current app runs on JRE8 in Docker (same base image)


  • I only have JAVA_HOME set... Not sure if we need anything else

Java 10 version details



Installed using the method above



root@e0776fd790e7:/runtime# ls -la /etc/ssl/certs/java/cacerts
-rw-r--r-- 1 root root 177280 Oct 29 16:29 /etc/ssl/certs/java/cacerts
root@e0776fd790e7:/runtime# java -version
openjdk version "10" 2018-03-20
OpenJDK Runtime Environment 18.3 (build 10+46)
OpenJDK 64-Bit Server VM 18.3 (build 10+46, mixed mode)


Keystore is set



The java 10 keystore can see it



root@17000659d1ec:/runtime# keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 80 entries


This is as described at https://dzone.com/articles/openjdk-10-now-includes-root-ca-certificates



Attempts



  • I'd like to learn if there's anything you can help

    • Coming from Unable to find valid certification path to requested target - error even after cert imported


  • Tried to call cacerts from java 8 to java 10










  • Tried to symlink or copy cacerts from JRE dir to /etc/ssl/certs/java/cacerts WORKS! ALONG WITH COPYING FROM JDK 8











  • Tried setting -Djavax.net.ssl.trustStore=/opt/jdk-minimal/jre/lib/security/cacerts

EDIT: See my answer






java ssl ssl-certificate okhttp







share|improve this question















Problem



  • I have a SpringBoot application using an app called Launchdarkly, which makes use of okhttp

  • I'm migrating from JRE 8 to JRE 10, calls to other resources work, but fails in calls made using okhttp

EDIT: This could happen with any app that has a certificate chain similar to the one used by our app.



javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target



Exception



The error occurs in thie thread... 



config-server_1 | 2018-11-10T21:25:19,147 67327 | DEBUG | okhttp-eventsource- ["okhttp-eventsource-stream--0" ] Connection problem.
config-server_1 | javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
config-server_1 | at sun.security.ssl.Alerts.getSSLException(Alerts.java:198) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1974) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:345) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:339) ~[?:?]
config-server_1 | at sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1968) ~[?:?]
config-server_1 | at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1777) ~[?:?]
config-server_1 | at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:264) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1098) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.processRecord(Handshaker.java:1026) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1429) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[?:?]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:281) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:251) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.connect(RealConnection.java:151) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:195) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]


Setup



  • Using jlink and selecting modules to build a small JRE

    • Installed using Docker at https://dev.to/gimlet2/dockerizing-java-10-spring-boot-app-3b4c

    • Current app runs on JRE8 in Docker (same base image)


  • I only have JAVA_HOME set... Not sure if we need anything else

Java 10 version details



Installed using the method above



root@e0776fd790e7:/runtime# ls -la /etc/ssl/certs/java/cacerts
-rw-r--r-- 1 root root 177280 Oct 29 16:29 /etc/ssl/certs/java/cacerts
root@e0776fd790e7:/runtime# java -version
openjdk version "10" 2018-03-20
OpenJDK Runtime Environment 18.3 (build 10+46)
OpenJDK 64-Bit Server VM 18.3 (build 10+46, mixed mode)


Keystore is set



The java 10 keystore can see it



root@17000659d1ec:/runtime# keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 80 entries


This is as described at https://dzone.com/articles/openjdk-10-now-includes-root-ca-certificates



Attempts



  • I'd like to learn if there's anything you can help

    • Coming from Unable to find valid certification path to requested target - error even after cert imported


  • Tried to call cacerts from java 8 to java 10










  • Tried to symlink or copy cacerts from JRE dir to /etc/ssl/certs/java/cacerts WORKS! ALONG WITH COPYING FROM JDK 8











  • Tried setting -Djavax.net.ssl.trustStore=/opt/jdk-minimal/jre/lib/security/cacerts

EDIT: See my answer






java ssl ssl-certificate okhttp




java ssl ssl-certificate okhttp






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 11 at 19:15

























asked Nov 11 at 6:29









Marcello de Sales

10.7k103646




10.7k103646







  • 1




    I would avoid Java 10 as it us eol. Java 11 shouldn't be much harder to migrate too.
    – Peter Lawrey
    Nov 11 at 10:34










  • @PeterLawrey yeah definitely... Just keeping this documented while we walk towards it...!
    – Marcello de Sales
    Nov 11 at 17:24












  • 1




    I would avoid Java 10 as it us eol. Java 11 shouldn't be much harder to migrate too.
    – Peter Lawrey
    Nov 11 at 10:34










  • @PeterLawrey yeah definitely... Just keeping this documented while we walk towards it...!
    – Marcello de Sales
    Nov 11 at 17:24







1




1




I would avoid Java 10 as it us eol. Java 11 shouldn't be much harder to migrate too.
– Peter Lawrey
Nov 11 at 10:34




I would avoid Java 10 as it us eol. Java 11 shouldn't be much harder to migrate too.
– Peter Lawrey
Nov 11 at 10:34












@PeterLawrey yeah definitely... Just keeping this documented while we walk towards it...!
– Marcello de Sales
Nov 11 at 17:24




@PeterLawrey yeah definitely... Just keeping this documented while we walk towards it...!
– Marcello de Sales
Nov 11 at 17:24












1 Answer
1






active

oldest

votes

















up vote
0
down vote



accepted










Solution when migrating from JDK 8 to JDK 10



  • The certificates are really different

    • JDK 10 has 80, while JDK 8 has 151


  • JDK 10 has been recently added the certs

    • https://dzone.com/articles/openjdk-10-now-includes-root-ca-certificates

    • http://openjdk.java.net/jeps/319


JDK 10



root@c339504909345:/opt/jdk-minimal/jre/lib/security # keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 80 entries


JDK 8



root@c39596768075:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts # keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 151 entries


Steps to fix



I haven't checked which certificate chain is not being trusted, but the server's URL certs are valid... The cacerts from JDK 10 has a chain that's broken as of Today. I can assert that because the download from https://download.java.net/java/GA/jdk10/10/binaries/openjdk-10_linux-x64_bin.tar.gz is being installed in a brand new Docker Image.



  • I deleted the JDK 10 cert and replaced it with the JDK 8

  • Since I'm building Docker Images, I could quickly do that using Multi-stage builds

    • I'm building a minimal JRE using jlink as /opt/jdk/bin/jlink
      --module-path /opt/jdk/jmods...


So, here's the different paths and the sequence of the commands...



# Java 8
COPY --from=marcellodesales-springboot-builder-jdk8 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts /etc/ssl/certs/java/cacerts

# Java 10
RUN rm -f /opt/jdk-minimal/jre/lib/security/cacerts
RUN ln -s /etc/ssl/certs/java/cacerts /opt/jdk-minimal/jre/lib/security/cacerts





share|improve this answer




















    Your Answer






    StackExchange.ifUsing("editor", function ()
    StackExchange.using("externalEditor", function ()
    StackExchange.using("snippets", function ()
    StackExchange.snippets.init();
    );
    );
    , "code-snippets");

    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "1"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53246399%2fjdk8-jdk10-pkix-path-building-failed-suncertpathbuilderexception-unable-to%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    0
    down vote



    accepted










    Solution when migrating from JDK 8 to JDK 10



    • The certificates are really different

      • JDK 10 has 80, while JDK 8 has 151


    • JDK 10 has been recently added the certs

      • https://dzone.com/articles/openjdk-10-now-includes-root-ca-certificates

      • http://openjdk.java.net/jeps/319


    JDK 10



    root@c339504909345:/opt/jdk-minimal/jre/lib/security # keytool -cacerts -list
    Enter keystore password:
    Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 80 entries


    JDK 8



    root@c39596768075:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts # keytool -cacerts -list
    Enter keystore password:
    Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 151 entries


    Steps to fix



    I haven't checked which certificate chain is not being trusted, but the server's URL certs are valid... The cacerts from JDK 10 has a chain that's broken as of Today. I can assert that because the download from https://download.java.net/java/GA/jdk10/10/binaries/openjdk-10_linux-x64_bin.tar.gz is being installed in a brand new Docker Image.



    • I deleted the JDK 10 cert and replaced it with the JDK 8

    • Since I'm building Docker Images, I could quickly do that using Multi-stage builds

      • I'm building a minimal JRE using jlink as /opt/jdk/bin/jlink
        --module-path /opt/jdk/jmods...


    So, here's the different paths and the sequence of the commands...



    # Java 8
    COPY --from=marcellodesales-springboot-builder-jdk8 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts /etc/ssl/certs/java/cacerts

    # Java 10
    RUN rm -f /opt/jdk-minimal/jre/lib/security/cacerts
    RUN ln -s /etc/ssl/certs/java/cacerts /opt/jdk-minimal/jre/lib/security/cacerts





    share|improve this answer
























      up vote
      0
      down vote



      accepted










      Solution when migrating from JDK 8 to JDK 10



      • The certificates are really different

        • JDK 10 has 80, while JDK 8 has 151


      • JDK 10 has been recently added the certs

        • https://dzone.com/articles/openjdk-10-now-includes-root-ca-certificates

        • http://openjdk.java.net/jeps/319


      JDK 10



      root@c339504909345:/opt/jdk-minimal/jre/lib/security # keytool -cacerts -list
      Enter keystore password:
      Keystore type: JKS
      Keystore provider: SUN

      Your keystore contains 80 entries


      JDK 8



      root@c39596768075:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts # keytool -cacerts -list
      Enter keystore password:
      Keystore type: JKS
      Keystore provider: SUN

      Your keystore contains 151 entries


      Steps to fix



      I haven't checked which certificate chain is not being trusted, but the server's URL certs are valid... The cacerts from JDK 10 has a chain that's broken as of Today. I can assert that because the download from https://download.java.net/java/GA/jdk10/10/binaries/openjdk-10_linux-x64_bin.tar.gz is being installed in a brand new Docker Image.



      • I deleted the JDK 10 cert and replaced it with the JDK 8

      • Since I'm building Docker Images, I could quickly do that using Multi-stage builds

        • I'm building a minimal JRE using jlink as /opt/jdk/bin/jlink
          --module-path /opt/jdk/jmods...


      So, here's the different paths and the sequence of the commands...



      # Java 8
      COPY --from=marcellodesales-springboot-builder-jdk8 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts /etc/ssl/certs/java/cacerts

      # Java 10
      RUN rm -f /opt/jdk-minimal/jre/lib/security/cacerts
      RUN ln -s /etc/ssl/certs/java/cacerts /opt/jdk-minimal/jre/lib/security/cacerts





      share|improve this answer






















        up vote
        0
        down vote



        accepted







        up vote
        0
        down vote



        accepted






        Solution when migrating from JDK 8 to JDK 10



        • The certificates are really different

          • JDK 10 has 80, while JDK 8 has 151


        • JDK 10 has been recently added the certs

          • https://dzone.com/articles/openjdk-10-now-includes-root-ca-certificates

          • http://openjdk.java.net/jeps/319


        JDK 10



        root@c339504909345:/opt/jdk-minimal/jre/lib/security # keytool -cacerts -list
        Enter keystore password:
        Keystore type: JKS
        Keystore provider: SUN

        Your keystore contains 80 entries


        JDK 8



        root@c39596768075:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts # keytool -cacerts -list
        Enter keystore password:
        Keystore type: JKS
        Keystore provider: SUN

        Your keystore contains 151 entries


        Steps to fix



        I haven't checked which certificate chain is not being trusted, but the server's URL certs are valid... The cacerts from JDK 10 has a chain that's broken as of Today. I can assert that because the download from https://download.java.net/java/GA/jdk10/10/binaries/openjdk-10_linux-x64_bin.tar.gz is being installed in a brand new Docker Image.



        • I deleted the JDK 10 cert and replaced it with the JDK 8

        • Since I'm building Docker Images, I could quickly do that using Multi-stage builds

          • I'm building a minimal JRE using jlink as /opt/jdk/bin/jlink
            --module-path /opt/jdk/jmods...


        So, here's the different paths and the sequence of the commands...



        # Java 8
        COPY --from=marcellodesales-springboot-builder-jdk8 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts /etc/ssl/certs/java/cacerts

        # Java 10
        RUN rm -f /opt/jdk-minimal/jre/lib/security/cacerts
        RUN ln -s /etc/ssl/certs/java/cacerts /opt/jdk-minimal/jre/lib/security/cacerts





        share|improve this answer












        Solution when migrating from JDK 8 to JDK 10



        • The certificates are really different

          • JDK 10 has 80, while JDK 8 has 151


        • JDK 10 has been recently added the certs

          • https://dzone.com/articles/openjdk-10-now-includes-root-ca-certificates

          • http://openjdk.java.net/jeps/319


        JDK 10



        root@c339504909345:/opt/jdk-minimal/jre/lib/security # keytool -cacerts -list
        Enter keystore password:
        Keystore type: JKS
        Keystore provider: SUN

        Your keystore contains 80 entries


        JDK 8



        root@c39596768075:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts # keytool -cacerts -list
        Enter keystore password:
        Keystore type: JKS
        Keystore provider: SUN

        Your keystore contains 151 entries


        Steps to fix



        I haven't checked which certificate chain is not being trusted, but the server's URL certs are valid... The cacerts from JDK 10 has a chain that's broken as of Today. I can assert that because the download from https://download.java.net/java/GA/jdk10/10/binaries/openjdk-10_linux-x64_bin.tar.gz is being installed in a brand new Docker Image.



        • I deleted the JDK 10 cert and replaced it with the JDK 8

        • Since I'm building Docker Images, I could quickly do that using Multi-stage builds

          • I'm building a minimal JRE using jlink as /opt/jdk/bin/jlink
            --module-path /opt/jdk/jmods...


        So, here's the different paths and the sequence of the commands...



        # Java 8
        COPY --from=marcellodesales-springboot-builder-jdk8 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts /etc/ssl/certs/java/cacerts

        # Java 10
        RUN rm -f /opt/jdk-minimal/jre/lib/security/cacerts
        RUN ln -s /etc/ssl/certs/java/cacerts /opt/jdk-minimal/jre/lib/security/cacerts






        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 11 at 7:59









        Marcello de Sales

        10.7k103646




        10.7k103646



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53246399%2fjdk8-jdk10-pkix-path-building-failed-suncertpathbuilderexception-unable-to%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            這個網誌中的熱門文章

            What does pagestruct do in Eviews?

            圖片
            0 I have a panel data with column name dateid and an ID variable crossid and several other variables over a period of time. What does the following command do in Eviews (I am very new to Eviews) pagestruct crossid @date(dateid) structure eviews share | improve this question edited Nov 12 at 4:19 asked Nov 8 at 9:13 Dom Jo 42 6 add a comment  |  0 I have a panel data with column name dateid and an ID variable crossid and several other variables over a period of time. What does the following command do in Eviews (I am very new to Eviews) pagestruct crossid @date(dateid) structure eviews share | improve this question edited Nov 12 at 4:19 asked Nov 8 at 9:13 Dom Jo 42 6 add a comment  |  0 0 0 I have a panel data with column name dateid and an ID variable crossid and several other variables over a period of time. Wh...
            閱讀完整內容

            Dutch intervention in Lombok and Karangasem

            圖片
            Dutch intervention in Lombok and Karangasem (1894) Attack of the Dutch on a Balinese stronghold in Lombok in 1894. Date July–November 1894 Location Lombok Result Decisive Dutch victory. Dutch control of Lombok and Karangasem. Belligerents Netherlands Eastern Sasak Lombok Mataram Western Sasak Commanders and leaders General-Major Jacobus Augustinus Vetter (Commander) General-Major P.P.H. van Ham (Second in command)   † Strength 2,200 (July expedition) Casualties and losses 500 (August 1894) 166 (November 1894) Thousands v t e Dutch interventions in Bali Northern Bali (1846) Northern Bali (1848) Bali (1849) Lombok and Karangasem (1894) Southern Bali (1906) Southern Bali (1908) v t e Dutch colonial campaigns 17th Century Bantam (1601) Malacca (1606) Cape Rachado (1606) Banda Islands (1621) Macau (1622) Pescadores (1622–1624) Bahia (1624) Persian Gulf (1625) Elmina (1625) Cuba (1628) Recife (1630) Albrolhos (1631) Liaoluo Bay (1633) Taiwan (1635–36) Lamey...
            閱讀完整內容

            Channel Islands

            圖片
            This article is about the Crown dependencies. For the islands off Southern California, see Channel Islands (California). For the French Channel Islands, see Chausey. Channel Islands Îles Anglo-Normandes    (French) Îles d'la Manche    (Norman) Satellite photo of the Channel Islands in 2012 Location of the Channel Islands Geography Location Western Europe Coordinates 49°26′N 2°19′W  /  49.433°N 2.317°W  / 49.433; -2.317 Coordinates: 49°26′N 2°19′W  /  49.433°N 2.317°W  / 49.433; -2.317 Adjacent bodies of water English Channel Total islands 8 inhabited Major islands Jersey and Guernsey Area 198 km 2 (76 sq mi) Highest point Les Platons Administration Bailiwick of Guernsey Capital and largest settlement Saint Peter Port, Guernsey Area covered 78 km 2 (30 sq mi;  7001394000000000000♠ 39.4%) Bailiwick ...
            閱讀完整內容