powered by Jive Software

Internal Trusted CA: "unable to find valid certification path to requested target"


#1

We are using an OpenFire server, and Spark. We had OpenFire generate the CSR, and then subsequently took the CSR and went to our internal OpenSSL based CA and issued certificates for OpenFire. We then added the response to the OpenFire system page, and it recognized the certificates as “CA Signed”. Just for kicks, we also added our internal CA to the truststore.

HOWEVER, we are getting the following problem in our logs from the Spark 2.8 client we are using:

org.jivesoftware.smack.SmackException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This looks like it’s failing to create the certificate path properly. The Windows system store contains the CA certificate as a trusted CA cert. However, Spark still fails to verify this.

How do we fix this problem so we can use the internally-signed CA certificate for our LAN/network for the chat system?

Note that our internal CA doesn’t have any intermediate certs - to validate the cert it only has to go up one step in the chain to ‘validate’ the CA root cert.


#2

Spark uses it’s own repository from which it obtains certificates (and does not use an OS-provided one!). As this changes a lot in the upcoming release, I’m not sure on the details of the old release: Spark either ships with Java keystores (which will be either in your profile directory, or in the Spark installation directory), or it uses the default Java keystores (which ship with the JRE).


#3

This actually explains a lot… all of which is undocumented.

Now that I’m aware of this, though, this will make it a bit trickier to solve this on a global organization scale - I’m not sure we want to give everyone the instructions on exactly how to update their certificate stores.

Thank you. My guess is it uses the JRE-shipped keystores. That’s gonna be a little trickier to make work properly…


#4

Spark was a dead project for many years (not very alive currently also). And it is only driven by occasional contributions. If someone has time and knowledge to do this, we are open to documentation contributions :wink: