I've got an application that was running on Glassfish 2.1. After a migration to use Glassfish 5.1 i'm facing a problem. Everytime that my application is making any request to an external API or Amazon SQS, for example, i'm getting the following error:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Before the migration, all the requests was working successfully.
I've already tried to set this propreties:
System.setProperty("com.sun.net.ssl.checkRevocation", "false"); System.setProperty("javax.net.ssl.trustStore","clientTrustStore.key"); System.setProperty("javax.net.ssl.trustStorePassword","qwerty");
And added into the domain.xml
<jvm-options>-Djava.net.preferIPv4Stack=true</jvm-options>
And also, i've already tried to create a custom class implementing X509TrustManager
Can anyone help me to solve this issue?
Already try all the solutions above and the error still the same.
This is because you call the external API via HTTPS a GlassFish only allows such connections if the external services presents a cerrtificate that GlassFish can trust.
GlassFish only trusts certificates that are in the trust store file
cacerts.jksin the GlassFish domain. It's possible that GlassFish 2 didn't have this requirement and it allowed connections to any external service.There's a discussion about this on the GlassFish issue tracker: https://github.com/eclipse-ee4j/glassfish/issues/24523#issuecomment-1657651280
A solution is to download the certificate presented by the external API and install it into the
cacerts.jksfile, which is inconfigdirectory of GlassFish domain. You can use the keytool command line tool available in the JDK.Alternatively, you can import all certificates from your JDK into the
cacerts.jksfile. It's likely that it's enough if the external services present certificates isgned by trusted public authorities.