Testing SSL Chaining Issues

Recently I needed to debug an issue by testing SSL chaining issues My old standby tools (curl and openssl were not reporting any errors)

The exception

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

Cause The cert from the keystore does not match the cert from the server.

Tool to debug the issue

SSLPoke.class is what was used to debug the issue. Link to source here.

How to use the tool

curl -k "https://confluence.atlassian.com/download/attachments/180292346/SSLPoke.class?version=1&modificationDate=1236556489366&api=v2" -o "SSLPoke.class"
java -Djavax.net.debug=ssl SSLPoke example.com 443 > debug.log 2>debug.err

Now check out the debug.log (near the end) to determine if your cert chaining is incorrect.

What finally solved my issue In my case i used the wrong godaddy chaining cert with an nginx reverse proxy…

I used:

Go Daddy Class 2 Certification Authority Root Certificate
Certificate File Hash (sha1) : 98 F1 CC 3D 9F 09 73 69 1E B4 AE 9A 1E AF AC 7F D6 30 1D FB
Certificate Thumbprint (sha1) : 27 96 BA E6 3F 18 01 E2 77 26 1B A0 D7 77 70 02 8F 20 EE E4

instead of:

Go Daddy Certificate Bundles (for cPanel, Plesk, Apache 1.x and 2.x installation only)
Certificate File Hash (sha1) : 47 E5 6A 19 BF B1 F1 9E 5D 92 88 0C 16 19 E1 8C C1 CD 06 CB

Reference: https://confluence.atlassian.com/display/CONFKB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed+sun.security.provider.certpath.SunCertPathBuilderException

Leave a Reply

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>