Why does httpclient behave differently on DO droplets (SSL-related)?
On my Ubuntu (16.04) developer. Environment. However, I can create a default httpclient
and send requests to an https
endpoint (e.g. Slack). Environment. (DO droplet with Ubuntu 14.04) I get this error:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
EDIT: Still trying to fix this… I’m guessing the DO droplet with Java (Oracle) installed doesn’t have the same certificate as the Ubuntu desktop image. I added the Slack certificate (obtained through this InstallCert
tool mentioned elsewhere in SO) to cacerts
(and ran update-ca-certificates
) to no use.
Solution
Your Java cacerts may be missing a geotrust root.
You can use keytool to see which certificates are trusted.
For example, for oracle JVM:
keytool -list -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts
Look for entries with the correct signature, i.e.:
debian:geotrust_global_ca.pem, 18/05/2015, trustedCertEntry,
Certificate fingerprint (SHA1): DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12
If it is not trusted, you can install it, download it from the following location:
https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.pem
Install it
keytool -import -trustcacerts -file GeoTrust_Global_CA.pem -alias GeoTrust_Global_CA -keystore $JAVA_HOME/jre/lib/security/cacerts