+ Start a Discussion
Tamia Ramirez 18Tamia Ramirez 18 

Unable to reach endpoint - security certificate

We are currently trying to consume a soap web service exposed on a CastIron.
This WebService has a security certificate which does not allow us to communicate.
The certificate is signed by Symantec.
When there is no certificate active for the endpoint we consume, it works with no problem.

But when the certificate is active, while there is no problem calling the service from SOAPUI, when calling from SF we are receiving the following error message:
11:24:30.0 (325656624)|EXCEPTION_THROWN|[23]|System.CalloutException: IO Exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 11:24:30.0 (537301785)|FATAL_ERROR|System.CalloutException: IO Exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

We are wondering if there is any extra configuration required we are missing. So far we have:
1. Add the remote site configuration where the endpoint is.
2. We use the correct endpoint URL, pointing to the https and 443 port.

We have done nothing about the certificate on SF side.
We do not understand if there is any configuation required concerning the intermediate certificate.
It is not clear to us if there is any further configuration required.

Please let me know what is missing or any documentation which explains very well what is required.
This is the documentation we have been using so far:
https://krishhari.wordpress.com/2012/02/06/making-authenticated-web-service-callouts-from-salesforce-to-ibm-cast-iron-using-sslcertificatespart-ii/
https://krishhari.wordpress.com/2012/02/06/making-authenticated-web-service-callouts-from-salesforce-to-ibm-cast-iron-using-sslcertificatespart-ii/

 
SFDC coderSFDC coder
Hi Tamia,

I have faced this error previously while we were working on certificates. Basically this error occurs when the certificate is not signed by a salesforce trusted CA. From what you explained above, this seems to be a onw way ssl approach where the external system has the certificate installed.

Now the external system needs to make sure that the certifcate that is present on their system is signed by a salesforce trusted CA else salesforce won't communicate with them if they use certificates.

You  can also check the SSL status of your certificate on
 
https://www.sslshopper.com/ssl-checker.html (https://www.sslshopper.com/ssl-checker.html" target="_blank
to see if any link is broken. eg. you can enter the www.google.com (http://www.google.com" target="_blank) in the Server Hostname for above URL to see the complete chain of certificate.

Regards
SFDC Coder
 
Tamia Ramirez 18Tamia Ramirez 18
This is what I am afraid of.

Just to confirm:
- The certificate was issued by Symantec. Is my understanding that Symantec and SF are actually partners.
- The certificate's algorithm is SHA-1

Is Symantec seriously untrust to SF?

Thanks a lot for your time.
SFDC coderSFDC coder
Hi Tamia,

I don't think so its CA trusted. I couldnt find it in the list of salesforce trusted CA's. Below is the link for your reference that lists down salesforce trusted CA's

https://developer.salesforce.com/page/Outbound_Messaging_SSL_CA_Certificates

Please mark this as a best answer if this solves your problem