Member Avatar for newbee_jv

Hello everyone,

I have 2 Tomcat app servers (Tomcat1, Tomcat2) on 2 different hosts.

Tomcat1 is my main J2EE web application that has a commercial certificate, and the application works correctly.
Tomcat2 is a dependent component that has a self signed certificate.
both tomcats are behind a load balancer.

When calling my Tomcat2 component, I get the following error:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I tried importing my self-singed cert on JVM of my Tomcat1 (and Tomcat2), but still same result.

Do I need to have the self-singed cert on my loadbalancer too?
Client's browser accesses directly Tomcat1 (main application), and when using dependent component on tomcat2, it sends request to client's browser directly, so I would assume my self-singed cert need to be loaded at loadbalancer level too?

Thanks.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

  • 1 Contributor
  • 2 Replies
  • 2K Views
  • 5 Days Discussion Span
  • Latest Post Latest Post by newbee_jv
Member Avatar for newbee_jv

Correction: I have my commercial certificate on my loadbalancer that acts as reverse proxy for public facing users.

My tomcat1 and tomcat2 both have self-signed certificate.
Question: Do I need my self-singed certs loaded on my loadbalancer?

Here's a visual picture.
Untitled.png

Member Avatar for newbee_jv

The problem was that recently we updated our commercial certificate AND changed provider. My tomcat1 JVM where the faileru was occuring, wasn't recognizing the new commercial cert CA autority, and as result faileur.

I had to import my ca root cert (in my case the bundle, including intermediate cert) into my tomcat1 JVM keystore, and that resolved the issue.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.