Unanswered question

Error- unable to find valid certification path to requested target

Using MQTT connect along with SSL connection, path for certificate and key. However, getting error -sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Sucheta C.
Sucheta C.

Sucheta C.

Level
0
65 / 100
points

Answers

Nouredine A.
Nouredine A.

Nouredine A.

Level
4
5000 / 5000
points
Team

Do you have more details about the error? There's different root causes and the most common is when you server certificate is self-signed or signed by a CA that is not trusted by the NeoLoad JVM.

If it's the case you need to import your certificate in the NeoLoad JVM truststore like this:

Go to the $NeoLoad_install_folder\jre\lib\security\ and run

 ..\..\bin\keytool.exe -import -alias MQTT -file "c:\temp\YourCertificate.cer" -keystore cacerts -storepass changeit

Sucheta C.
Sucheta C.

Sucheta C.

Level
0
65 / 100
points

Thanks for the response.
Pls find below detailed error -
ERROR - neoload.CustomAction: Connection to MQTT broker: *abcd* failed : MqttException: MqttException (0) - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target:

org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38)
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:736)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)

Sucheta C.
Sucheta C.

Sucheta C.

Level
0
65 / 100
points

Also, I navigated till security folder, but could you pls let me know the next step in detail.

Thanks!

Neil W.
Neil W.

Neil W.

Level
4
5000 / 5000
points
Team

Hi, these are the detailed steps, keytool is 2 directory levels up and into the bin folder, just run the provided command and point to your cer file

Sucheta C.
Sucheta C.

Sucheta C.

Level
0
65 / 100
points

Hi Team,
Thanks for the input.
I have followed the steps and getting below error -

Trust this certificate? [no]: yes
Certificate was added to keystore
keytool error: java.io.FileNotFoundException: cacerts (Access is denied)

Also to add, I have .crt certificate and not .cer (I changed this while executing the command accordingly)

Is there anyway to resolve this and get the MQTT connect successful?

Neil W.
Neil W.

Neil W.

Level
4
5000 / 5000
points
Team

is your cacerts file read only? do you see it in the directory? the file should be cer. You may need to convert you crt file to a cer file

Nouredine A.
Nouredine A.

Nouredine A.

Level
4
5000 / 5000
points
Team
crt or cer are two different file extensions but the content of the file should still be the same. I guess your "Access Denied" issue is probably due to the fact that you can't modify the cacerts file which is also probably the case for other files from the Program Files folder.
 
So either you run your dos console with Administrator rights or if it does not work just copy that cacerts elsewhere in your disk (for example in the desktop) and apply the procedure the same way against that copied file. Then copy/paste again that cacerts to the original folder. That should work.
Sucheta C.
Sucheta C.

Sucheta C.

Level
0
65 / 100
points

Hi, I have followed the steps and not getting an error for the import command of the certificate.
However, even after doing this, i am getting below error and not able to do the MQTT connect.
Error - sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: javax.net.ssl.SSLHandshakeException
Also I see a new .LCK file in my neoload folder after running the import cmd

Sucheta C.
Sucheta C.

Sucheta C.

Level
0
65 / 100
points

Hi Team
As mentioned above, I have added the certificate as per procedure however still getting same error while doing the MQTT Connect.
Is there any workaround for this, as unless I do MQTT connect I will not be able to proceed further for Publish,Subscribe.

Thanks.

Nouredine A.
Nouredine A.

Nouredine A.

Level
4
5000 / 5000
points
Team

If you still have the issue and the certificate imported is correct then since the error message is related to the certification path that is not trusted you may have to import another certificate to trust the whole certification path.

The best to confirm is to enable SSL debug in the NeoLoad agent. Here is the procedure:

  1. Stop NeoLoad
  2. Edit $install_dir/conf/agent.properties
  3. In the "lg.launcher.vm.parameters" parameter  add -Djavax.net.debug=all in order to have something like that: lg.launcher.vm.parameters=-server -Djavax.net.debug=all -XX:MaxRAMFraction=4 .........
  4. Save
  5. Start NeoLoad
  6. Run a checkvu of your userpath with MQTT connect action alone with no other SSL requests to minimize the amount of data.
  7. Open the logs folder through the menu "Help-->Open logs folder..." and look at the  neoload-out.log file that should contain some SSL traces related to the MQTT connection

Inside that log you should see the list of trusted certificate sent by NeoLoad including your certificate, the server certificate sent during the TLS handshake and finally the same error as before.

The goal is to compare the certification chain sent by the server and make sure that you have the full chain trusted on NeoLoad side.

Sucheta C.
Sucheta C.

Sucheta C.

Level
0
65 / 100
points

Hi,
Please find below the neoload output file :

[LoadGenerator] System property jdk.tls.client.cipherSuites is set to 'null'

[LoadGenerator] System property jdk.tls.server.cipherSuites is set to 'null'

[LoadGenerator] Inaccessible trust store: C:\Program Files\NeoLoad 7.7\jre\lib\security\jssecacerts

[LoadGenerator] trustStore is: C:\Program Files\NeoLoad 7.7\jre\lib\security\cacerts
trustStore type is: jks
trustStore provider is:
the last modified time is: Wed Dec 23 06:47:42 CET 2020

[LoadGenerator] Reload the trust store

[LoadGenerator] Reload trust certs

[LoadGenerator] Reloaded 94 trust certs

[LoadGenerator] adding as trusted cert
.....cntd
Is there an issue in the third line - > Inaccessible trust store?

I am also attaching the results log file from MQTT Connect.
Let me know if anything else is to be done.

For MQTT over SSL connect I am uploading the .cer certificate and the key for the same. I have tried uploading the .crt and the key file as well.