How to avoid "PKIX path building failed" error while querying Kusto with Java SDK?

Question

I'm using Java SDK for Kusto (Azure Data Explorer).

<groupId>com.microsoft.azure.kusto</groupId>
<artifactId>kusto-data</artifactId>
<version>5.0.3</version>

I'm connecting to kusto with an aad app registration and when I'm trying to execute a query I'm getting this error:

com.microsoft.azure.kusto.data.exceptions.DataServiceException: IOException when trying to retrieve cluster metadata:PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.microsoft.azure.kusto.data.auth.CloudInfo.lambda$retrieveCloudInfoForCluster$0(CloudInfo.java:108)
    at com.microsoft.azure.kusto.data.ExponentialRetry.execute(ExponentialRetry.java:39)
    at com.microsoft.azure.kusto.data.auth.CloudInfo.retrieveCloudInfoForCluster(CloudInfo.java:100)
    at com.microsoft.azure.kusto.data.auth.CloudDependentTokenProviderBase.lambda$initialize$0(CloudDependentTokenProviderBase.java:38)
    at com.microsoft.azure.kusto.data.instrumentation.MonitoredActivity.invoke(MonitoredActivity.java:33)
    at com.microsoft.azure.kusto.data.auth.CloudDependentTokenProviderBase.initialize(CloudDependentTokenProviderBase.java:37)
    at com.microsoft.azure.kusto.data.auth.TokenProviderBase.acquireAccessToken(TokenProviderBase.java:30)
    at com.microsoft.azure.kusto.data.ClientImpl.generateIngestAndCommandHeaders(ClientImpl.java:405)
    at com.microsoft.azure.kusto.data.ClientImpl.executeToJsonResult(ClientImpl.java:213)
    at com.microsoft.azure.kusto.data.ClientImpl.executeImpl(ClientImpl.java:173)
    at com.microsoft.azure.kusto.data.ClientImpl.lambda$execute$0(ClientImpl.java:122)
    at com.microsoft.azure.kusto.data.instrumentation.MonitoredActivity.invoke(MonitoredActivity.java:33)
    at com.microsoft.azure.kusto.data.ClientImpl.execute(ClientImpl.java:121)
    at com.microsoft.azure.kusto.data.ClientImpl.execute(ClientImpl.java:116)
    at com.microsoft.azure.kusto.data.ClientImpl.execute(ClientImpl.java:111)

I tried to add microsoft ca certificates to my JDK using keytool but it didn't help. I'm still not able to perform the query and I don't understand why.

Answer 1

com.microsoft.azure.kusto.data.exceptions.DataServiceException: IOException when trying to retrieve cluster metadata: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

According to this SO-Answer by Theri Muthu Selvam:

• This problem primarily arises because the application within our system, designed to safeguard against security breaches, is blocking the request.
• You can ignore the error while querying Kusto with the Java SDK. You need to import the SSL certificate to the default Java keystore. The default Java keystore typically already has all the CA root certificates. However, there might be some exceptions. For example, a different root certificate might sign the ingestion endpoint certificate.

Check if the SSL certificate that was used to sign the Kusto endpoint is already present in the default keystore with this command:

Command:

keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts > temp.txt

Command:

Import the SSL certificate to the default Java Keystore using the following command:

keytool -keystore  "$JAVA_HOME/jre/lib/security/cacerts" -import -alias "<some-meaningful-name>" -file "<downloaded-ssl-certificate-file>"
password: changeit

Reference:

• Troubleshoot Azure Monitor Application Insights for Java - Azure | Microsoft Learn
• SSL Certificate Validation for Java Applications - Bing Maps | Microsoft Learn