PKIX Path Issues when Configuring HTTPS/SSL for FME Flow

Liz Sanderson
Liz Sanderson
  • Updated

Symptom

Errors similar to those below are found in various FME Flow (formerly FME Server) or Tomcat log files.
 
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(Unknown Source) at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) at sun.security.validator.Validator.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) 
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed:sun.security.provider.certpath.SunCertPathBuilderException: unable to findvalid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:unable to find valid certification path to requested target


Cause

The certificate used for SSL has not been imported into the FME Flow cacerts truststore or is a self-signed certificate.


Resolution

Obtain a copy of the CER or CRT file and import it into the FME Server cacerts truststore.

  • Login to FME Flow using a web browser (e.g. Google Chrome, as shown below)
  • View the “Certificate Information”

Chrome not secure

  • Click the Certificate Details tab and "Export"

Export Cert

  • Save as a “Base64 encoded ASCII, single certificate (*.pem,*.crt)” to local disk (e.g. <certpath>\mycert.crt)

Export CRT

  • Using the Command Prompt (as an Administrator), change the directory to <FMEFlow>\Utilities\jre\bin
  • Enter the following command, making the appropriate changes to <FMEFlow>, <certpath> and the Alias value. If you wish to import all the certificates in the keystone into the trusted cacerts file you can remove the alias parameter:
keytool -import -trustcacerts -keystore "<FMEFlow>\Utilities\jre\lib\security\cacerts" -storepass changeit -noprompt -alias mycert -file "<certpath>\mycert.crt"
  • Restart FME Flow and try submitting a job.

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.