Restcall fails because JVM says it is unable to find valid certification path to requested target

3
When consuming webservices, sometimes the  JVM says it is "unable to find valid certification path to requested target". The publishing server, tieka.nl, has a valid certificate from authority 'Let'sEncrypt'. I have no way to retreive the certificate, can not download it from any browser and the provider does not give it to me. Also, how should I make the certificate known to the JVM? It is the second time that I come across this problem. Previous one was with consuming a service of BAG, Basisregistratie adressen en gebouwen, a governmental institute, so maximum trustworthy. Their certificate comes from authority Quovadis. So it is not likely that the problem is the certificate. Apparently JVM does not find the certificate. In other words, how can I solve this problem?   com.mendix.modules.microflowengine.MicroflowException: Error calling REST service     at PostalcodeHousenumber.ACT_LUTieka_Get_AddressData (CallRest : 'Call REST PDOK/suggest postcode+huisnummerRecieve address-id')     at PostalcodeHousenumber.SUB_Address_GetList (SubMicroflow : 'ACT_LUTieka_Get_AddressData')     at PostalcodeHousenumber.ACT_Call_Address_GetSingleAddress (SubMicroflow : 'SUB_Address_GetList') Advanced stacktrace:     at com.mendix.integration.actions.microflow.RestCallAction.execute(RestCallAction.scala:48) Caused by: com.mendix.systemwideinterfaces.MendixRuntimeException: java.security.PrivilegedActionException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target     at com.mendix.integration.util.PrivilegedUtil$.withPrivileged(PrivilegedUtil.scala:15)  
asked
5 answers
18

Hi Tim,

See this link for a discussion about how the root CA isn't trusted by Java by default. You'll need to upload the root CA into your modeler and the cloud portal. I was able to download this CA using Chrome. This was on a Mac so it's possible the end of the instructions might change slightly. It's the same general process though.

When I try to go to the URL you specified, I ended up here:

https://www.sourcerers.nl/team/5-tim-van-steenbergen

  1. In Chrome, click anywhere on the page and choose Inspect Element.
  2. In the dev tools window, select the security tab
  3. Click on View certificate
  4. Click on DST Root CA X3
  5. Drag the certificate image from the screen to your desktop
  6. This creates a .cer file on the desktop that you can import to the modeler or cloud portal

 

EDIT: On windows the process is:

  1. In Chrome, I right-click anywhere on the page and choose Inspect Element.
  2. In the dev tools window, select the security tab
  3. Click on View certificate
  4. Click on the Certificate Path tab
  5. Click on DST Root CA X3 and clicked View Certificate
  6. Click the details tab
  7. Click Copy to File... and export as a .cer
  8. Import this file into the modeler and on the cloud portal.
answered
2

For the doc that "test qert" mentioned: here (/howto/integration/use-a-client-certificate). Since at Tieka the certificate is not password-protected, this procedure is far simpeler than the docs describe. Better is:

+Some services require you to authenticate using a client certificate. A certificate can be public or protected with password.

+### A public certificate:
+- can get downloaded using the any browser,
+- saved as a .cer-file or a .P7B-file,
+- uploaded in the Project->Settings tab Certificates.
+And your project is ready for use.
+
+### A password protected certificate:
+If the certificate is password protected then downloading the certificate from the brower will get you a different filetype: .pfx. This how-to describes how to configure your app to use certificates of pfx-filetype.

I added this piece of text to the docs.

answered
1

You could get the root CA or issuing CA from their website:

https://www.quovadisglobal.nl/Repository/DownloadRootsAndCRL.aspx

Upload this in your app, see here for documentation on certificate uploading etc.

answered
1

For the Records: If you’re using Mendix for Private Cloud make sure to add your CA certificate into your kubernetes namespace using following instructions: https://docs.mendix.com/developerportal/deploy/private-cloud-cluster/#custom-tls 

answered
-4

Unfortunately, this does not work anymore...

answered