How to resolve “unable to find valid certification path to requested target” error ?

You may run into the following error message during replication and other tasks:

2015-05-19 05:26:30,864 [art-exec-5469] [ERROR] (o.a.a.r.c.BaseReplicationProducer:97) – Error occurred while performing folder replication for ‘XXXX’: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The error message indicates that Artifactory could not establish a trusted connection over SSL (you may see this issue if you are using Self-Signed certificate or a certificate that is issued by an internal Certificate Authority or if your clients (e.g. browser, java) are outdated). The trust is handled by having root and intermediate certificates of your SSL certificate on a trusted keystore. 

For JAVA, you may upgrade your JDK to install to resolve this issue, since it comes with newer certificates. Or, you may do it manually by updating your trusted keystore. The trusted keystore in JAVA is usually at $JAVA_HOME/lib/security/cacerts , and the default password of “cacerts” keystore is “changeit“. You can import your root and intermediate certificates by using the steps below.

1. Get remote site’s root and intermediate certificates by running openssl s_client -showcerts -connect <REMOTE_URL:PORT>

For example, openssl s_client -showcerts -connect cdn.redhat.com:443


2. Save each certificate as a file (example certificates from cdn.redhat.com is attached to this solution – good certificates as of May 12th, 2016)

For example, 

 s:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=Entitlement Master CA/emailAddress=ca-support@redhat.com

 i:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=Entitlement Master CA/emailAddress=ca-support@redhat.com

The example above indicates that the issuer (i:) is the same as the subject (s:), which indicates that it is the root certificate.

Save the hash of the certificate (include —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– ) and save it as root.crt .

3. Identify which JVM that Artifactory runs 

4. Import root and intermediate certificates to the trusted root certificate of the JAVA (usually called “cacerts”) by using keytool import command. For more information, please visit https://docs.oracle.com/cd/E19830-01/819-4712/ablqw/index.html

For example,

sudo keytool -importcert -keystore /usr/local/java/jdk1.8.0_60/jre/lib/security/cacerts -storepass changeit -file ~/Downloads/RHEL-cert/root.crt -alias “rhel-root”

5. Restart Artifactory 

 

Also, this error can be seen if a certificate is loaded in an Apache/Nginx Proxy. Please review your Apache/Nginx Proxy setting and setup the trust.