Testing SSL Chaining Issues

June 26, 2013

Recently I needed to debug an issue by testing SSL chaining issues My old standby tools (curl and openssl were not reporting any errors)

The exception

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

Cause The cert from the keystore does not match the cert from the server.

Tool to debug the issue

SSLPoke.class is what was used to debug the issue. Link to source here.

How to use the tool

curl -k "https://confluence.atlassian.com/download/attachments/180292346/SSLPoke.class?version=1&modificationDate=1236556489366&api=v2" -o "SSLPoke.class"
java -Djavax.net.debug=ssl SSLPoke example.com 443 > debug.log 2>debug.err

Now check out the debug.log (near the end) to determine if your cert chaining is incorrect.

What finally solved my issue In my case i used the wrong godaddy chaining cert with an nginx reverse proxy…

I used:

Go Daddy Class 2 Certification Authority Root Certificate
gd-class2-root.crt
Certificate File Hash (sha1) : 98 F1 CC 3D 9F 09 73 69 1E B4 AE 9A 1E AF AC 7F D6 30 1D FB
Certificate Thumbprint (sha1) : 27 96 BA E6 3F 18 01 E2 77 26 1B A0 D7 77 70 02 8F 20 EE E4

instead of:

Go Daddy Certificate Bundles (for cPanel, Plesk, Apache 1.x and 2.x installation only)
gd_bundle.crt
Certificate File Hash (sha1) : 47 E5 6A 19 BF B1 F1 9E 5D 92 88 0C 16 19 E1 8C C1 CD 06 CB

Reference: https://confluence.atlassian.com/display/CONFKB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed+sun.security.provider.certpath.SunCertPathBuilderException