sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

manish250 · March 23, 2025, 12:11pm

Hello,

I am trying to follow “couchbase for Java developer” course on couchbase academy. While trying to access the capella cluster, getting below error:

[cb-events] ERROR com.couchbase.io - [com.couchbase.io][SecureConnectionFailedEvent] Detected a TLS problem in the IO layer: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem, Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target {"bucket":"travel-sample","coreId":"0x6279f9b900000001","local":"/100.64.0.1:51004","remote":"svc-dqis-node-001.d9atgx2youzqdzjk.cloud.couchbase.com/54.254.159.121:11207"}
[cb-events] ERROR com.couchbase.io - [com.couchbase.io][SecureConnectionFailedEvent] Detected a TLS problem in the IO layer: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem, Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target {"coreId":"0x6279f9b900000001","local":"/100.64.0.1:51003","remote":"svc-dqis-node-001.d9atgx2youzqdzjk.cloud.couchbase.com/54.254.159.121:11207"}
[cb-events] WARN com.couchbase.endpoint - [com.couchbase.endpoint][EndpointConnectionFailedEvent][760ms] Connect attempt 1 failed because of DecoderException: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem {"bucket":"travel-sample","circuitBreaker":"DISABLED","coreId":"0x6279f9b900000001","remote":"svc-dqis-node-001.d9atgx2youzqdzjk.cloud.couchbase.com:11207","type":"KV"}
com.couchbase.client.core.deps.io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
	at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
	at java.base/javax.net.ssl.SSLEngine.wrap(SSLEngine.java:564)
	... 1 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
	at java.base/sun.security.validator.Validator.validate(Validator.java:264)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
	... 1 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
	at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
	... 5 more

While I understand this is due to certificate but I have already downloaded the certificate from cluster->security certificate section and using it in the code as follows:

Cluster cluster = Cluster.connect(
                connectionString,
                ClusterOptions.clusterOptions(username, password).environment(env -> {
                    // Sets a pre-configured profile called "wan-development" to help avoid
                    // latency issues when accessing Capella from a different Wide Area Network
                    // or Availability Zone (e.g. your laptop).
                    env.applyProfile("wan-development");
                    env
                            .securityConfig(security -> security
                                    .enableTls(true)
                                    // Tell the client to trust the cluster's root certificate.
                                    // If your cluster's root certificate is from a well-known
                                    // Certificate Authority (CA), you can skip this.
                                    .trustCertificate(Paths.get("/Users/test/couchbase/CouchBaseJava/MyFirstCluster2025-root-certificate.cert")));
                })
        );

Even while running the cbimport I got the similar issue for security certificate.

Could someone help on this.

Thanks

mreiche · March 23, 2025, 2:58pm

The Capella root CA is built into the SDK. So where the comment says “you can skip this”, you can skip that.

You can test the correctness of a certificate with the openssl command. Couchbase SDK Doctor can be used to troubleshoot connectivity to the cluster. Curl can also be used to check connectivity and certificate valudation - although when used against the kv service (which is not http), if the certificate validates, curl will give an message to the effect “empty response from server”

For testing only in development environments, the SDK has an option to not perform validation on the server ssl certificate (like the curl -k option) But doing so is not secure.

manish250 · March 24, 2025, 4:51am

I have tried validating the certificate using openssl but getting the below error:

openssl verify MyFirstCluster2025-root-certificate.pem
O=Couchbase, OU=Cloud
error 18 at 0 depth lookup: self-signed certificate
error MyFirstCluster2025-root-certificate.pem: verification failed

I am downloaded if from security certificate section only then why this certificate is failing with verification ?

is it something to do with my machine which is behind corporate proxy (zscaler) ?

mreiche · March 24, 2025, 3:46pm

I meant that you should test the connection with openssl or curl. See these instructions for how to test a connection with openssl - https://www.liquidweb.com/blog/how-to-test-ssl-connection-using-openssl/

is it something to do with my machine which is behind corporate proxy (zscaler) ?

Possibly. ( Do you maybe have a support ticket open? sounds familiar )
If the couchbase server ssl connection is “terminated” at the proxy, and then the certificate that the SDK sees will be a certificate of the proxy, not the couchbase server certificate.

Topic		Replies	Views
sun.security.provider.certpath.SunCertPathBuilderException on using trust certificate while migrating to Java SDK 3.3.0 version Java SDK	0	611	August 5, 2022
New TLS related error in SDK 3.3.0 .NET SDK	5	872	May 5, 2022
Caused by: com.couchbase.client.core.RequestCancelledException: Request cancelled in-flight. While doing Cert based Auth Java SDK	1	1465	March 2, 2020
java.security.cert.CertificateException: No name matching couchbase found when upgrading from Java SDK 2.7.11 to 3.2.4 Java SDK connections , java	6	2302	January 12, 2022
Ssl connection error in 3.0.1 Community Edition Couchbase Server	1	2359	November 5, 2014

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Related topics