https://linen.dev logo
#general
Title
# general
e

Eric Deandrea

09/25/2023, 6:25 PM
Question for all the WireMock gurus out there 🙂 I’m trying to use WireMock to mock a service that some client library consumes. The client library requires the use of https and doesn’t like the default certificate that WireMock uses. I don’t have any control or access to the http client this particular library uses. Is there a way around this?
Copy code
Suppressed: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
		at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.handshakeException(ReferenceCountedOpenSslEngine.java:1945)
		at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.wrap(ReferenceCountedOpenSslEngine.java:852)
		at java.base/javax.net.ssl.SSLEngine.wrap(SSLEngine.java:564)
		at io.netty.handler.ssl.SslHandler.wrap(SslHandler.java:1125)
		at io.netty.handler.ssl.SslHandler.wrapNonAppData(SslHandler.java:969)
		at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1502)
		at io.netty.handler.ssl.SslHandler.decodeNonJdkCompatible(SslHandler.java:1340)
		at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1380)
		at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)
		at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
		at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
		at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
		at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
		at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
		at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
		at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
		at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
		at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
		at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
		at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)
		at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
		at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
		at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
		at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
		at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
		at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
		at java.base/java.lang.Thread.run(Thread.java:833)
	Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
		at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
		at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
		at java.base/sun.security.validator.Validator.validate(Validator.java:264)
		at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285)
		at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
		at io.netty.handler.ssl.EnhancingX509ExtendedTrustManager.checkServerTrusted(EnhancingX509ExtendedTrustManager.java:69)
		at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:235)
		at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:792)
		at io.netty.internal.tcnative.CertificateVerifierTask.runTask(CertificateVerifierTask.java:36)
		at io.netty.internal.tcnative.SSLTask.run(SSLTask.java:48)
		at io.netty.internal.tcnative.SSLTask.run(SSLTask.java:42)
		at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.runAndResetNeedTask(ReferenceCountedOpenSslEngine.java:1534)
		at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.access$700(ReferenceCountedOpenSslEngine.java:96)
		at io.netty.handler.ssl.ReferenceCountedOpenSslEngine$TaskDecorator.run(ReferenceCountedOpenSslEngine.java:1509)
		at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1642)
		at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1488)
		... 21 more
	Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
		at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
		at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:127)
		at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
		at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
		... 36 more
b

Brian Bezanson

09/25/2023, 10:05 PM
I have seen the “Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target” usually due to a corporate VPN. In my case we use “Global Protect”. In our case Maven dependency downloads and other HTTPS connections were failing from any Java IDE (Eclipse, Spring Tools etc.) while having Global Protect active. 1. Global Protect replaces the Certificate Chain of HTTPS connections by Corporate self-signed certificates using none of the public CA Root Authorities. 2. Java’s default truststore (cacert) only trusts certificates from known CA Root Authorities. a. So we were getting certificate errors like this: i. PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Solution We were able to configure Java to use the Windows Root Certificate trust store. After setting these JVM properties Java is able to connect to all HTTPS resources with Global Protect enabled. List of all Java 8 built in security and trust store providers. https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#Apple Windows
Copy code
-Djavax.net.ssl.trustStore=NONE
-Djavax.net.ssl.trustStoreType=Windows-ROOT
Mac
Copy code
-Djavax.net.ssl.trustStoreType=KeychainStore
Here is a Stackoverflow link on the issue: https://stackoverflow.com/questions/21076179/pkix-path-building-failed-and-unable-to-find-valid-certification-path-to-requ
💯 1
e

Eric Deandrea

09/26/2023, 11:45 AM
Thank you I will give this a try. In my case thought its not due to VPN (I’m not on VPN).