Do not input private or sensitive data. View Qlik Privacy & Cookie Policy.
Skip to main content

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Write Table now available in Qlik Cloud Analytics: Read Blog
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
DBS1
Contributor III
Contributor III
‎2024-03-15 08:22 AM

javax.net.ssl.SSLHandshakeException: PKIX path building failed

Hi Team

I was having a job which was running without any issues for last few months. But suddenly the job got failed with the below issue.

Exception in component Common_Access_token_Generator_1_tREST_2
com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:155)
at com.sun.jersey.api.client.Client.handle(Client.java:652)
at com.sun.jersey.api.client.WebResource.handle(WebResource.java:682)
at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
at com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:570)

Please help in resolving this issue.

Labels (4)
Labels
1 user say ditto
41,678 Views
5 Replies
StephanieR
Luminary
Luminary
‎2024-03-15 08:27 AM

https://stackoverflow.com/questions/6659360/how-to-solve-javax-net-ssl-sslhandshakeexception-error?n...
Check out this article - not sure on all of your specifics here but I think it will help, sounds like you have a cert issue, again hard to say why this happened if it was working well
41,665 Views
0 Likes
DBS1
Contributor III
Contributor III
‎2024-03-15 01:35 PM
Author

In response to StephanieR

Thanks for the reply.

I could see that the jobs are now running without any issues. But we haven't done any system level or job level changes as well.

Could you help me what is the actual issue here.

41,628 Views
0 Likes
Xiaodi_Shi
Employee
Employee
‎2024-03-18 10:13 PM

In response to DBS1

Hello,

Please make sure that you insert the the CAcert into your JDK truststore.

Double check your <studio Home>\studio\<studio>.ini file to see if you're using a specific trust store.
-Djavax.net.ssl.trustStore=
-Djavax.net.ssl.trustStorePassword=

If this property does not exist in ini. It'll be the default JDK's truststore you're using for studio.

https://community.qlik.com/t5/Official-Support-Articles/Talend-Studio-How-to-set-a-truststore-for-an...

Best regards

Sabrina

41,598 Views
0 Likes
naveen52
Contributor
Contributor
‎2024-09-03 05:41 PM

I am getting error on my site :

Unexpected exception: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: sun.security.validator.ValidatorException: TrustAnchor with subject "CN=server-CA" is not a CA certificate PKIX path validation failed: sun.security.validator.ValidatorException: TrustAnchor with subject "CN=server-CA" is not a CA certificate

 

How to fix this issue

39,076 Views
0 Likes
jeoste
Creator II
Creator II
yesterday

Is your certificate actually declared as a Certificate Authority (CA)?

It looks like your "server-CA" certificate does not match the strict validation rules for a Trust Anchor. The extension CA=true is missing

You can verify this by inspecting the certificate using keytool:

Open a terminal in the folder where your .crt file is located.

Run the following command (replace your-ca-cert.crt with your actual filename):

cmd : keytool -printcert -file your-ca-cert.crt -v

You should see something like this:

ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

If you see CA:false or if BasicConstraints is missing entirely: The certificate is invalid for use as a Root CA/Trust Anchor. Java will refuse to use it to sign or validate other certificates.

You must regenerate the CA certificate (using OpenSSL or Keytool) and explicitly ensure the extension BasicConstraints=critical,CA:true is included during generation.

38 Views
0 Likes