java - SSLPeerUnverifiedException: peer not authenticated

Question

Yet again, the dreary Problem of SSLPeerUnverified, but I'm not using self signed certificates. I try to connect to a host using https. This host has a correct certificate, neither Firefox nor HttpsUrlConnection has any problems with it. However trying to connect using HttpClient, I get the dreaded exception.

Any clues? Or tip where to look closer?

Thanks!

Edit: Debug output

main, handling exception:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target

main, IOException in getSession():

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target

Answer 1

It seems that you need to import the certificate into the trusted keystore your JVM is using. If you are not using a different trusted keystore in your application this will be "cacerts".

You can follow a step by step guide at "How to Fix 'SSLPeerUnverifiedException: peer not authenticated' Exception in Groovy / Java ".

Short version:

1. Run the following command, replace $ADDRESS with the URL, minus the "https://":

   echo -n | openssl s_client -connect $ADDRESS:443 | 
     sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/$ADDRESS.cert
   

2. Run the following command, replace $ALIAS a short name for the key, $ADDRESS with the cert name from above, $PATH with the path to cacerts in your JRE.

    sudo keytool -importcert -alias "$ALIAS" -file /tmp/$ADDRESS.cert 
      -keystore $PATH/cacerts -storepass changeit