+ Start a Discussion
GAURAV SETHGAURAV SETH 

Workaround for PKIX path building failed

I am calling Java RestAPI from Salesforce Apex but getting that error :

System.HttpRequest retrying request in response to handshake failure: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I am using Self Signed Certificate as I don't have CA signed certificate.

When I hit the RestAPI from Postman, it works fine after adding Refered in the header but when I use it in Apex, it fails.
I know it is failing because the certificate should be uploaded on the receiver end.
Do we have any workaround for this ?
like adding below code. getting cookie from Postman session.

request.setHeader('Cookie', 'JSESSIONID=0000fDH4iAwQjy18Gxy6cu4OP7N:-1; LtpaToken2=cvh4vP20P/VAggVRbJrmzgHkvEpJ52tcnbJIxJ3hPX99+otkx4t8dkUC/5Wozd37jPfMv2I5+GMs+//1Dqo3vJU81SymbRIQBaftyv1Z5nILXoC44zZ0Q9CT2mvRsFj8IdLC0mMs2bK70jhSSv/AS38QyQZbXDFDc4h8OxVpyyTe5vlTQfjdM336i6tJ5SinnBSuMmCvCk/SvOa6qiVXMkT/Bq3oqvGKztjeDXnyFw1EOO3/FpoekvvdFNrD2T0wePAogFaP1AEWsQiqG5bOAgWkUwScF/8830GUTPKIej9uSGHv6GX8c8e1bOw/p4dYFAu1hOXOK2RoV8YGsAV3S7nsypv+tFxnbFzdgS5M/D7D2OijHWVPzjkmK8Od23HAa7Gi3AoEsxcKpia/fED4MbmVsE78SAdl0lRDzXL2W2Kr95baxh1CZyGfa9n/mNdlRh0UwmxIsyYlChnwhnIXW+AzFFSP1e0fJZbhOFxZVfNAfoakwWA/wslZQWmQy8YW//DXSSvePaEDsYjgOBl5ulI9NCG2YN322bo1xQk4W0c8HkWEuSgD/BuhV5XwDJNvmcehdL3MDVccVNbD611bC/PoIMs8t2leWKfqi6gTHnNxXpK/6Q2ezsUR7kETnEk+p7Bl7p4wEEaDSCQPz8lJeu38/rCKXvXggnaJN1VsvWAAOSBsTmkwCo8dksAsG2jEXhEpoYGkwBKHMxqV0W5sUA==')

I need it urgently. I will appreciate
AnudeepAnudeep (Salesforce Developers) 
Most probably the issue is with the certificate

This happens when the certificate chain is not in the correct order. You can verify this in SSL checker for the following message

"The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate

- As per the documentation,

The application (endpoint) server must send any intermediate certificates in the certificate chain, and the certificate chain must be in the correct order. The correct order is:

1.Server certificate.
2.Intermediate certificate that signed the server certificate if the server certificate was not signed directly by a root certificate.
3.Intermediate certificate that signed the certificate in step 2.
4.Any remaining intermediate certificates. Do not include the root certificate authority certificate. The root certificate is not sent by your server. Salesforce already has its own list of trusted certificates on file, and a certificate in the chain must be signed by one of those root certificate authority certificates.

Let me know if this helps, if it does, please mark this answer as best so that others facing the same issue will find this information useful. Thank you
GAURAV SETHGAURAV SETH
Hi Anudeep,

Thanks for your response. Actually I don't have CA signed certificate.
I just need to call REST Api which is from external server to call it from my Apex code for one of the Demo.
I can't get the CA signed certificate.
Is there any workaround for this purpose?
Can we make that API public or some other configuration changes?

I use to call one service before by adding latest Cookie information collected from Postman and it used to work.
But now I am getting error.
Any help will be appreciated.

Thanks,
Gaurav Seth
AnudeepAnudeep (Salesforce Developers) 
Hi Gaurav, 

Can you post here what you see in OpenSSL?

Because the main reason for this error is that the endpoint is presenting a certificate chain that contains incorrect intermediaries during the SSL Handshake. The server is sending it's own certificate and signing chain, but one or more intermediate certificates are incorrect.

To fix the problem, the endpoint must present a chain where the next certificate's subject equals the current certificate's issuer.

A tool like OpenSSL (https://www.openssl.org/) can be used to validate whether the distinguished name (DN) of a certificate's issuer is equal the DN of the next certificate's subject, which must match for the chain to be valid.

If you want to see the certificate information by yourselves, use the below openssl command,

openssl s_client –showcerts –connect hostname:port

where "hostname:port" is your endpoint that you want to connect.

The command will show the certificates as they are being sent.You can then check the list of certificates to verify if the certificate chain is properly installed.

Ref: https://help.salesforce.com/apex/HTViewSolution?urlname=Why-I-am-getting-Salesforce-CalloutException-CertPathValidatorException-1327109384791&language=en_US


Salesforce recognizes certificates from CA signed authorities as per the below link:-

 https://developer.salesforce.com/page/Outbound_Messaging_SSL_CA_Certificates