java.io.IOException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target #207
Comments
|
You should not configure custom trust in OkHttp, when you are using defaults it will pick JVM defaults with all root and intermediate system managed certificates and it should be suffice to connect to api.telegram.org. |
|
@roabol what do you mean "my application is on the server, which uses https"? |
|
@roabol what if you explicitly set api url to http? |
|
@pengrad when I run on my machine, it works normally. The problem only occurs on the server (google GCP) where I have a certificate (letsencrypt). # I will try this code that you mentioned. I really imagine that the problem is not in the API. But I'm not sure what to do. |
But with this configuration it already worked. And without doing anything under an https domain it doesn't work |
It's not about SSL of your server, it's about certificates that installed in OS (or Java?) which can't work with api.telegram.org. |
|
wait, but in code you posted above you use only Comodo certificate in |
yes, just like that |
|
hm, but you need certifate from api.telegram.com, it should be from godaddy and I may get it wrong, so please double check |
|
I know you may ask why it worked before - I don't know :) |
yes, how... I will try now |
|
I reviewed it several times, but it didn't work. I tried to import the certificate to /usr/java/jdk-11.0.6/lib/security/cacerts and to payara server also in $PAYARA_HOME/glassfish/domains/domain1/config/cacerts.jks, and nothing |
|
@roabol how about jdk you are using now and before, are they same? possible to run this: And there are couple of suggestions here https://stackoverflow.com/questions/9619030/resolving-javax-net-ssl-sslhandshakeexception-sun-security-validator-validatore Make sure after installing correct certificates in system you build bot without custom http client, just: |
|
No, I used jdk1.8.0_231, and upgraded to jdk-11.0.6, both from oracle. I can make a simple application in 1.8, to test it, but I can't get my application back to 1.8. I'll do the test and post the result here. Regarding ca-certificates-java, I couldn't find it, I use CentOS 7, so I ran yum search ca-certificates, and I only found ca-certificates.noarch: The Mozilla CA root certificate bundle, which is already installed. Even so, I ran the application as follows: TelegramBot bot = new TelegramBot (TOKEN); and it still didn't work. I had already seen this link that you sent, but I have not tested all alternatives, I will look more closely at them. Thank you for now @pengrad |
|
@roabol there is no need to use oracle jdk11 distribution under centos, that is the reason you have broken ca certificates authority. Just switch to openjdk-devel centos jdk package and it will pick correct ca certificates automatically. |
Thank @vitalyster , I'll try and put the result here! |
|
facing the same issue. trying to use any other hints. im using the lates 6.1.0 with openjdk-17. it was working just fine 5.0.1 and openjdk-11 |
|
Following on this case, i have tested the certificate directly using SSLPoke, and it seems working fine: so maybe there is something wrong with the internal OkHttp implementation |
|
ok solved by the same above workaround having custom OkHttpClient, this is how i got it: i still do hope that such thing is implemented internally without any need for such workaround |
|
this case is happening all the time and solved by itself. most probably it is an issue from telegram side and has nothing with this library or others. the same type of error is happening with many other libraries and developers |
**The situation is the same as described on 25 April 2019 (#160 (comment)). The difference is that we changed the server, a new installation. But from what I understood at the time, what made it work was the custom OkHttpClient. Here is the implementation of the class:
Remembering that this error only happens when my application is on the server, which uses https**
`public class BuilderCustomTelegram {
private final String token;
public BuilderCustomTelegram(String token) {
this.token = token;
}
public TelegramBot getTelegramBot() {
X509TrustManager trustManager;
SSLSocketFactory sslSocketFactory;
}
private KeyStore newEmptyKeyStore(char[] password) throws GeneralSecurityException {
try {
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
InputStream in = null; // By convention, 'null' creates an empty key store.
keyStore.load(in, password);
return keyStore;
} catch (IOException e) {
throw new AssertionError(e);
}
}
private X509TrustManager trustManagerForCertificates(InputStream in) throws GeneralSecurityException {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
Collection<? extends Certificate> certificates = certificateFactory.generateCertificates(in);
if (certificates.isEmpty()) {
throw new IllegalArgumentException("expected non-empty set of trusted certificates");
}
}
private InputStream trustedCertificatesInputStream() {
// PEM files for root certificates of Comodo and Entrust. These two CAs are sufficient to view
// https://publicobject.com (Comodo) and https://squareup.com (Entrust). But they aren't
// sufficient to connect to most HTTPS sites including https://godaddy.com and https://visa.com.
// Typically developers will need to get a PEM file from their organization's TLS administrator.
String comodoRsaCertificationAuthority = ""
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIIEiDCCA3CgAwIBAgIQIZasKdlbfwsnz6AiPh7PVDANBgkqhkiG9w0BAQsFADBI\n"
+ "MRswGQYDVQQDExJFU0VUIFNTTCBGaWx0ZXIgQ0ExHDAaBgNVBAoTE0VTRVQsIHNw\n"
+ "b2wuIHMgci4gby4xCzAJBgNVBAYTAlNLMB4XDTIwMDEyMjAwMDAwMFoXDTIyMDQy\n"
+ "MTIzNTk1OVowggEbMRUwEwYDVQQFEwxMMDcwMDAxMTMzMjExEzARBgsrBgEEAYI3\n"
+ "PAIBAxMCVVMxGDAWBgsrBgEEAYI3PAIBAhMHRmxvcmlkYTEdMBsGA1UEDxMUUHJp\n"
+ "dmF0ZSBPcmdhbml6YXRpb24xCzAJBgNVBAYTAlVTMQ4wDAYDVQQREwUzMzcwMTEQ\n"
+ "MA4GA1UECBMHRmxvcmlkYTEZMBcGA1UEBxMQU0FJTlQgUEVURVJTQlVSRzEnMCUG\n"
+ "A1UECRMeMTQ2IFNFQ09ORCBTVFJFRVQgTi4gU1VJVEUgMjAxMSAwHgYDVQQKExdS\n"
+ "YXBpZCBXZWIgU2VydmljZXMsIExMQzEfMB0GA1UEAxMWd3d3LmNvbW9kb3NzbHN0\n"
+ "b3JlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKLf1o/6IKeh\n"
+ "MDUIs/mk8F5Vb5MUun1DNfNcob/gXQ006gvfBYgb/HB9V6GxXp9Y0o9W+uuO3X9T\n"
+ "QJmfSytppTIcT5sMfr+BatZXJIb6083PlHEw4e2/2kGgC3AeYs401GYYKWSUlygm\n"
+ "1VwZIYnWmp5evJvpbox5cZ0ASwdOjiduVN/Qm62IqcXB8K4ekDb2VK0L6zirRjTE\n"
+ "mpbrHyuECYhNH3Uzaz/swnVfa8CRkS2UvUiXiXSazz5qtbf5lXSNi/tyrmMQr3Oj\n"
+ "Pz3/AyTo+hvGSTia4iPje3B4EUJ8D3eLMuSsTjizAHx+1bWXpYymRgb6kMtzQc6C\n"
+ "2ZFw488Ko40CAwEAAaOBmDCBlTAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG\n"
+ "AQUFBwMBBggrBgEFBQcDAjA1BgNVHREELjAsghZ3d3cuY29tb2Rvc3Nsc3RvcmUu\n"
+ "Y29tghJjb21vZG9zc2xzdG9yZS5jb20wDgYDVR0PAQH/BAQDAgWgMB8GA1UdIwQY\n"
+ "MBaAFHOMID6LT/zrhQQxbbv3834Lbv6bMA0GCSqGSIb3DQEBCwUAA4IBAQBeI3df\n"
+ "uBRjce9g3ng8fLNi6hw+D+W5Fof0h4jEbrXzTSMcJxEylK0JrWOsyV9CvKZjzghG\n"
+ "18gE+6dr7pLfMNbHYjJ1ZT9U/zD55xUrbt4CeB5U3sL/KfryYQ/yekT9YBoK9MeQ\n"
+ "0G2fRYEhWIwHxeulJPPeyPSF52iJRp/234ccrjGDS7Qt7Jrdf2anO+0CcuoxS9Oz\n"
+ "/fJEkjlCIenqeoffbkiXxvv72If0YmRpvDS7OPiOR1CStLo2E3D7h/Bzu4p+CS4f\n"
+ "t2ZUsB3PTwM/j0FvWI7UV27f2mpqRlMebS4v+sgR174LMVzp3R7VM/VJWPsY3wwL\n"
+ "S3wGpBrU4o4sAdtU\n"
+ "-----END CERTIFICATE-----";
}
}
`
And this is the error:
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.pengrad.telegrambot.impl.TelegramBotClient.send(TelegramBotClient.java:67)
at com.pengrad.telegrambot.TelegramBot.execute(TelegramBot.java:42)
at br.com.portal.web.view.administracao.telegram.teste.TelegramTesteView.enviarPeloTelegramBot(TelegramTesteView.java:123)
at br.com.portal.web.view.administracao.telegram.teste.TelegramTesteView.enviar(TelegramTesteView.java:68)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at com.sun.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:153)
at com.sun.el.parser.AstValue.invoke(AstValue.java:261)
at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:237)
at org.jboss.weld.module.web.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:40)
at org.jboss.weld.module.web.el.WeldMethodExpression.invoke(WeldMethodExpression.java:50)
at com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:65)
at javax.faces.event.MethodExpressionActionListener.processAction(MethodExpressionActionListener.java:124)
at javax.faces.event.ActionEvent.processListener(ActionEvent.java:72)
at javax.faces.component.UIComponentBase.broadcast(UIComponentBase.java:490)
at javax.faces.component.UICommand.broadcast(UICommand.java:211)
at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:847)
at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1396)
at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:58)
at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:76)
at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:177)
at javax.faces.webapp.FacesServlet.executeLifecyle(FacesServlet.java:707)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:451)
at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1636)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:331)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:211)
at org.primefaces.webapp.filter.FileUploadFilter.doFilter(FileUploadFilter.java:81)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:253)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:211)
at br.com.portal.web.filter.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:33)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:253)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:211)
at br.com.sigmax.web.servlet.HSTSFilter.doFilter(HSTSFilter.java:31)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:253)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:211)
at br.com.sigmax.web.servlet.SecurityFilter.doFilter(SecurityFilter.java:69)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:253)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:211)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:257)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:757)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:577)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:158)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:371)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:238)
at com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:520)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:217)
at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:182)
at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:156)
at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:218)
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:95)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:260)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:177)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:109)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:88)
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:53)
at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:524)
at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:89)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:94)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:33)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:114)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:569)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:549)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:259)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1337)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1212)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1155)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:450)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:427)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1151)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1062)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:320)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:284)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:169)
at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:258)
at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:135)
at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:114)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:127)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:257)
at okhttp3.RealCall.execute(RealCall.java:93)
at com.pengrad.telegrambot.impl.TelegramBotClient.send(TelegramBotClient.java:64)
... 66 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1321)
... 96 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
... 102 more
The text was updated successfully, but these errors were encountered: