B4J Question SSL Error with httpjob and https [solved]

Didier9

Well-Known Member
Licensed User
Longtime User
I have a simple example project that shows the problem.
The example works on a server that does not use https but does not when pointed to another server that runs https, even though calling the same php script directly from Chrome on the same machine (using https) does work.

I am getting this error:
B4X:
Waiting for debugger to connect...
Program started.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
    at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:242)
    at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:200)
    at okhttp3.internal.connection.RealConnection.buildConnection(RealConnection.java:174)
    at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:114)
    at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:196)
    at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:132)
    at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:101)
    at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:179)
    at okhttp3.RealCall.execute(RealCall.java:63)
    at anywheresoftware.b4h.okhttp.OkHttpClientWrapper.executeWithTimeout(OkHttpClientWrapper.java:156)
    at anywheresoftware.b4h.okhttp.OkHttpClientWrapper.access$0(OkHttpClientWrapper.java:153)
    at anywheresoftware.b4h.okhttp.OkHttpClientWrapper$ExecuteHelper.run(OkHttpClientWrapper.java:201)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
    at sun.security.validator.Validator.validate(Validator.java:262)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
    ... 35 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
    ... 41 more
ResponseError. Reason: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, Response:
Error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Note that this runs on a corporate intranet. The project is actually the KMatle MySQL/PHP tutorial that I updated a couple of months ago which runs fine with http.
 

Attachments

  • HTTPJobDemo.zip
    2.9 KB · Views: 285

KMatle

Expert
Licensed User
Longtime User
Just fighting with a similar problem but with https. Can you check the servers certificate? (call the servers address in your browser an click on the lock symbol). Is it self signed? If yes, then search for "accept all".
 
Upvote 0

Didier9

Well-Known Member
Licensed User
Longtime User
Just fighting with a similar problem but with https. Can you check the servers certificate? (call the servers address in your browser an click on the lock symbol). Is it self signed? If yes, then search for "accept all".

The certificate is signed by my company's systems. The server is not accessible from the outside.

I am using Chrome and I do not have an "Accept All" setting when I click on the padlock icon but the certificate is valid.
The browser has no issue accessing the server. More specifically, the browser has no problem accessing the php script, which has no problem accessing the database. However phpMyAdmin (running on the same server as the database and the php script) does have a problem accessing the database (at least I cannot log in phpMyAdmin with the credentials that the php script is using), and the B4J app running on my laptop also has a problem accessing the php script, with the errors reported above.
 
Upvote 0

OliverA

Expert
Licensed User
Longtime User
Upvote 0

OliverA

Expert
Licensed User
Longtime User
Upvote 0

Didier9

Well-Known Member
Licensed User
Longtime User
HU2_ACCEPTALL does not solve my problem :(

B4X:
Waiting for debugger to connect...
Program started.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
    at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:242)
    at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:200)
    at okhttp3.internal.connection.RealConnection.buildConnection(RealConnection.java:174)
    at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:114)
    at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:196)
    at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:132)
    at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:101)
    at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:179)
    at okhttp3.RealCall.execute(RealCall.java:63)
    at anywheresoftware.b4h.okhttp.OkHttpClientWrapper.executeWithTimeout(OkHttpClientWrapper.java:156)
    at anywheresoftware.b4h.okhttp.OkHttpClientWrapper.access$0(OkHttpClientWrapper.java:153)
    at anywheresoftware.b4h.okhttp.OkHttpClientWrapper$ExecuteHelper.run(OkHttpClientWrapper.java:201)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
    at sun.security.validator.Validator.validate(Validator.java:262)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
    ... 35 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
    ... 41 more
ResponseError. Reason: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, Response:
Error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Cannot get data from database
 
Upvote 0

Didier9

Well-Known Member
Licensed User
Longtime User
I also checked the ww2.conf file (not ssl.conf on my server, CentOS 7) and it does have the SSLCertificateChainFile line pointing to my company's certificate authority

B4X:
<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile      /etc/pki/tls/certs/fwb-eng-web01p.cer
        SSLCertificateKeyFile   /etc/pki/tls/private/fwb-eng-web01p.key
        SSLCertificateChainFile /etc/pki/tls/certs/crane-issueingCA2.cer
        SSLCACertificateFile    /etc/pki/tls/certs/crane-root.cer
 
Upvote 0

Didier9

Well-Known Member
Licensed User
Longtime User
Trying to figure out how this server is configured. I did not do it myself and I may have to go back to the guy who did. (ww2 is an alias but I am not accessing the server under that name)

I will post when I hear back.
 
Last edited:
Upvote 0

KMatle

Expert
Licensed User
Longtime User
I also checked the ww2.conf file (not ssl.conf on my server, CentOS 7) and it does have the SSLCertificateChainFile line pointing to my company's certificate authority

B4X:
<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile      /etc/pki/tls/certs/fwb-eng-web01p.cer
        SSLCertificateKeyFile   /etc/pki/tls/private/fwb-eng-web01p.key
        SSLCertificateChainFile /etc/pki/tls/certs/crane-issueingCA2.cer
        SSLCACertificateFile    /etc/pki/tls/certs/crane-root.cer

The config looks good at the first sight. Please call the webpage in a browser and check if the certificate is still valid (I assume it's not)
 
Upvote 0

OliverA

Expert
Licensed User
Longtime User
Please call the webpage in a browser and check if the certificate is still valid (I assume it's not)
I am using Chrome and I do not have an "Accept All" setting when I click on the padlock icon but the certificate is valid.
My guess: Somehow the browser is able to properly parse the in-house CA and Java is not. Browser's CA handling is often more up to date than Java's. One may need to add the proper CA credentials (be it the main or the intermediates) to Java's internal CA list. The article I linked to should help out in that regard.
 
Upvote 0

Didier9

Well-Known Member
Licensed User
Longtime User
I am not sure what web page you are referring to but I have no issue running the php script from the browser on the same machine the B4J app is not working. The web server is configured to run only https and Chrome properly indicates the connection as secure.
So far the internal IT guy who configured the machine has not been able to help but I will look at the article you linked in more detail.

I am wondering if I could connect to the database directly instead of through a php script. Since both client and server are on the Intranet, I may be able to do that. Our company policy requires that all traffic be encrypted though so I am not sure if I can do the encryption bit. At first, the php route looked easier... Some more reading will be necessary...
 
Last edited:
Upvote 0

Didier9

Well-Known Member
Licensed User
Longtime User
jOkHttpUtils2.xml says it is version 1.0, the file has a date stamp of May 2018 (when I downloaded it).

Update: actually I am on a different computer right now, I'll update when I am on the machine that's on the right network.
 
Upvote 0

DonManfred

Expert
Licensed User
Longtime User
jOkHttpUtils2 is a internal library and a b4xlib. It is located in C:\Program Files (x86)\Anywhere Software\B4J\Libraries
It is Version=2.82
 
Upvote 0

Didier9

Well-Known Member
Licensed User
Longtime User
I am using B4J v7.80 and the built-in jokhttutils2 library is 2.82. Not sure how to get 2.90...

OK, I found it. I am not sure how I can be sure to use that one instead of the built-in one. Should I simply replace it in the Program Files folder?
 
Upvote 0

Didier9

Well-Known Member
Licensed User
Longtime User
I downloaded the jOkHttpUtils2.b4xlib file. Not sure how to use that one. I placed it in my custom libraries folder and clicked Refresh but the IDE still only shows the version 2.82
 
Upvote 0
Top