Using MQTT connect along with SSL connection, path for certificate and key. However, getting error -sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Do you have more details about the error? There's different root causes and the most common is when you server certificate is self-signed or signed by a CA that is not trusted by the NeoLoad JVM.
If it's the case you need to import your certificate in the NeoLoad JVM truststore like this:
Go to the $NeoLoad_install_folder\jre\lib\security\ and run
..\..\bin\keytool.exe -import -alias MQTT -file "c:\temp\YourCertificate.cer" -keystore cacerts -storepass changeit
Thanks for the response.
Pls find below detailed error -
ERROR - neoload.CustomAction: Connection to MQTT broker: *abcd* failed : MqttException: MqttException (0) - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target:
org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38)
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:736)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Also, I navigated till security folder, but could you pls let me know the next step in detail.
Thanks!
Hi, these are the detailed steps, keytool is 2 directory levels up and into the bin folder, just run the provided command and point to your cer file
Hi Team,
Thanks for the input.
I have followed the steps and getting below error -
Trust this certificate? [no]: yes
Certificate was added to keystore
keytool error: java.io.FileNotFoundException: cacerts (Access is denied)
Also to add, I have .crt certificate and not .cer (I changed this while executing the command accordingly)
Is there anyway to resolve this and get the MQTT connect successful?
is your cacerts file read only? do you see it in the directory? the file should be cer. You may need to convert you crt file to a cer file
Hi, I have followed the steps and not getting an error for the import command of the certificate.
However, even after doing this, i am getting below error and not able to do the MQTT connect.
Error - sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: javax.net.ssl.SSLHandshakeException
Also I see a new .LCK file in my neoload folder after running the import cmd
Hi Team
As mentioned above, I have added the certificate as per procedure however still getting same error while doing the MQTT Connect.
Is there any workaround for this, as unless I do MQTT connect I will not be able to proceed further for Publish,Subscribe.
Thanks.
If you still have the issue and the certificate imported is correct then since the error message is related to the certification path that is not trusted you may have to import another certificate to trust the whole certification path.
The best to confirm is to enable SSL debug in the NeoLoad agent. Here is the procedure:
Inside that log you should see the list of trusted certificate sent by NeoLoad including your certificate, the server certificate sent during the TLS handshake and finally the same error as before.
The goal is to compare the certification chain sent by the server and make sure that you have the full chain trusted on NeoLoad side.
Hi,
Please find below the neoload output file :
[LoadGenerator] System property jdk.tls.client.cipherSuites is set to 'null'
[LoadGenerator] System property jdk.tls.server.cipherSuites is set to 'null'
[LoadGenerator] Inaccessible trust store: C:\Program Files\NeoLoad 7.7\jre\lib\security\jssecacerts
[LoadGenerator] trustStore is: C:\Program Files\NeoLoad 7.7\jre\lib\security\cacerts
trustStore type is: jks
trustStore provider is:
the last modified time is: Wed Dec 23 06:47:42 CET 2020
[LoadGenerator] Reload the trust store
[LoadGenerator] Reload trust certs
[LoadGenerator] Reloaded 94 trust certs
[LoadGenerator] adding as trusted cert
.....cntd
Is there an issue in the third line - > Inaccessible trust store?
I am also attaching the results log file from MQTT Connect.
Let me know if anything else is to be done.
For MQTT over SSL connect I am uploading the .cer certificate and the key for the same. I have tried uploading the .crt and the key file as well.
