Hello Everyone!
I spent a large part of yesterday and this morning trying to debug an SSL
problem on Tomcat 8.5.57 to no avail. I've seen some discussion on either this
problem or something related back in 2016, but wanted to confirm what the
"correct" solution might be, because I got lost in the threads.
I never had this problem with Tomcat 7.0.x, but it started once I upgraded to
8.5.57 (same application code), and it is related to making outgoing SSL
connections to web services. And this is NOT related to a self-signed, but to
a commercial (GoDaddy) SSL certificate, albeit on a server that I also run in
the cloud.
The exception is being thrown when trying to connect to an SSL protected web
service is:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
although the exact same code worked (and still works on other servers) reliably
under Tomcat 7.0.x for several years.
Now, here is the weird part: after Google'ing around, I thought the problem
might be that Tomcat 8.5.5 and later -- at least this is the gist that I got --
no longer finds the 'default' Java certificate store (cacerts), so I added the
following to /bin/catalina.sh (running on a Mac 10.14 / Mojave):
export
-Djavax.net.ssl.trustStore=/Library/Java/JavaVirtualMachines/jdk1.8.0_121.jdk/Contents/Home/jre/lib/security/cacerts
The weird part is that this appeared to fix the problem, so I thought I was
done. Then, I rebooted, and the problem re-appeared!
I stopped and started Tomcat, and the problem was resolved again. I rebooted
again, and the problem re-appeared.
Previously, when it worked, I refreshed the page several times, and it kept
working. When it doesn't work, if I keep refreshing the page, it continues to
throw the exception.
Does this mean that some "worker threads" can find the certificate store, and
others can't? Or am I going down the wrong rabbit hole?
So, any idea? The intermittent nature is driving me crazy!
And I have can reproduce the problem on two separate servers (both Mac 10.14 /
Mojave, both Java 1.8.0), one (new server) running 8.5.57 and one (slightly
older server) running 8.5.35. But again, I have several 7.0.x instances where
I've never seen this problem before.
Also, the generic 'SSLPoke' always connects to the service, and it appears that
if I run (mostly) the same code from the command line outside of Tomcat (javac
/ java) it always works. And if I paste the web service URL into Safari or
Chrome, it always works. And if I use the web service URL with curl (just for
good measure), it always works. So it only seems to fall under Tomcat 8.5.x.
Thanks in advance for any guidance, as I'm running out of things to Google and
try.
Regards,
Dave.
