Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SunCertPathBuilderException at image amazoncorretto:21 #195

Open
raphaeljpb opened this issue Feb 20, 2024 · 1 comment
Open

SunCertPathBuilderException at image amazoncorretto:21 #195

raphaeljpb opened this issue Feb 20, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@raphaeljpb
Copy link

I'm having problems to add a custom certificate to Java Cacerts. It works at image amazoncorretto:21.0.2-al2023-headless, but throws exception at image amazoncorretto:21. I'm using keytool to import the certificate. Is the any difference between the two images related to keytool and cacert management ?

amazoncorreto:21

sijurel | javax.net.ssl|ERROR|A2|http-nio-7070-exec-1|2024-02-20 15:18:47.664 BRT|TransportContext.java:370|Fatal (CERTIFICATE_UNKNOWN): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (
sijurel | "throwable" : {
sijurel | sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
sijurel | at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:388)

amazoncorretto:21.0.2-al2023-headless

sijurel | 14:10:29 DEBUG - jdk.event.security : ValidationChain: 3822549688, 2605480992
sijurel | 14:10:29 DEBUG - jdk.event.security : X509Certificate: Alg:SHA1withRSA, Serial:ce7e0e517d846fe8fe560fc1bf03039, Subject:CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US, Issuer:CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US, Key type:RSA, Length:2048, Cert Id:3434562768, Valid from:11/9/06, 9:00 PM, Valid until:11/9/31, 9:00 PM
.....

@raphaeljpb raphaeljpb added the bug Something isn't working label Feb 20, 2024
@lutkerd
Copy link
Contributor

lutkerd commented Feb 21, 2024

The images contain a different set of certificates in the keystore. The amazoncorretto:21 has all of the certificates from Amazon Linux 2 as well as those from upstream OpenJDK, amazoncorretto:21.0.2-al2023-headless only contains the certificates from Amazon Linux 2023. The error seems to say that some intermediate certificates in the chain are missing and those should be added before adding this certificate that is failing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants