Hello Everyone! I spent a large part of yesterday and this morning trying to debug an SSL problem on Tomcat 8.5.57 to no avail. I've seen some discussion on either this problem or something related back in 2016, but wanted to confirm what the "correct" solution might be, because I got lost in the threads.
I never had this problem with Tomcat 7.0.x, but it started once I upgraded to 8.5.57 (same application code), and it is related to making outgoing SSL connections to web services. And this is NOT related to a self-signed, but to a commercial (GoDaddy) SSL certificate, albeit on a server that I also run in the cloud. The exception is being thrown when trying to connect to an SSL protected web service is: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target although the exact same code worked (and still works on other servers) reliably under Tomcat 7.0.x for several years. Now, here is the weird part: after Google'ing around, I thought the problem might be that Tomcat 8.5.5 and later -- at least this is the gist that I got -- no longer finds the 'default' Java certificate store (cacerts), so I added the following to /bin/catalina.sh (running on a Mac 10.14 / Mojave): export -Djavax.net.ssl.trustStore=/Library/Java/JavaVirtualMachines/jdk1.8.0_121.jdk/Contents/Home/jre/lib/security/cacerts The weird part is that this appeared to fix the problem, so I thought I was done. Then, I rebooted, and the problem re-appeared! I stopped and started Tomcat, and the problem was resolved again. I rebooted again, and the problem re-appeared. Previously, when it worked, I refreshed the page several times, and it kept working. When it doesn't work, if I keep refreshing the page, it continues to throw the exception. Does this mean that some "worker threads" can find the certificate store, and others can't? Or am I going down the wrong rabbit hole? So, any idea? The intermittent nature is driving me crazy! And I have can reproduce the problem on two separate servers (both Mac 10.14 / Mojave, both Java 1.8.0), one (new server) running 8.5.57 and one (slightly older server) running 8.5.35. But again, I have several 7.0.x instances where I've never seen this problem before. Also, the generic 'SSLPoke' always connects to the service, and it appears that if I run (mostly) the same code from the command line outside of Tomcat (javac / java) it always works. And if I paste the web service URL into Safari or Chrome, it always works. And if I use the web service URL with curl (just for good measure), it always works. So it only seems to fall under Tomcat 8.5.x. Thanks in advance for any guidance, as I'm running out of things to Google and try. Regards, Dave.