function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
SergeantAgniSergeantAgni 

"Could not find trusted certificate"

I'm porting to the new partner API, using Java and Axis 1.1.  Things were going fine then I started hitting the exception listed below.  I went back and ran a simple global describe script that was working earlier in the day and got the same exception.  Is is possible that something has changed with the server side certificates?  I would not expect a certificate to work and then stop working a few minutes later...

Actually, this traceback is from API version 2.0, but the 2.5 traceback is nearly the same.  Both versions are now doing the same thing.

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Could not find trusted certificate
        at org.apache.axis.AxisFault.makeFault(AxisFault.java:129)
        at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:131)
        at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:71)
        at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:150)
        at org.apache.axis.SimpleChain.invoke(SimpleChain.java:120)
        at org.apache.axis.client.AxisClient.invoke(AxisClient.java:180)
        at org.apache.axis.client.Call.invokeEngine(Call.java:2564)
        at org.apache.axis.client.Call.invoke(Call.java:2553)
        at org.apache.axis.client.Call.invoke(Call.java:2248)
        at org.apache.axis.client.Call.invoke(Call.java:2171)
        at org.apache.axis.client.Call.invoke(Call.java:1691)
        at salesforce.SalesforceConnectorBindingStub.login(SalesforceConnectorBindingStub.java:413)

Message Edited by SergeantAgni on 01-07-2004 04:45 PM

DevAngelDevAngel

Hi SergeantAgni,

We are tracking a problem related to the certificate issue that you have been experiencing.  It seems to only be affecting Axis clients, which is kind of strange.  Don't change your code, this is an issue on our end.
sevenseven
This hapened to me also when using quick start app. Probabily the sforce server presents to the client a certificate that is signed by a CA not present in JRE keystore. The salvation could be: 1. to write a custom (bogus) https validator at client side 2. sforce should provide a certificate that can be imported into the client trusted keystore 3. sforce should change their server side cert to one signed by a CA present in default jre distribution Regards, Horia
MilkovicMilkovic

I am also receiving the same type of error:

Login failed: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found

Please let us know if a solution was found. Thanks
DevAngelDevAngel

Hello All,

Please see the post on the announcements board for a resolution.
MilkovicMilkovic
Ah ok, upgrading to the latest JRE solved the problem
rrrrrr

I've upgraded to the latest JRE but am still experiencing the same problem. This is the message that returns from SForce.

-- End POST request --

<?xml version="1.0"?>

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">

<SOAP-ENV:Body>

<SOAP-ENV:Fjavax.net.ssl.SSLHandshakeException: java.security.cert.CertificateEx

ception: Untrusted Server Certificate Chainault> <faultCode>Server</faultCode><faultString>java.security.cert.CertificateExceptio

n: Untrusted Server Certificate Chain</fau

at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)

at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)

at cltString></SOAP-ENV:Fault>

</SOAP-ENV:Body>

</SOAP-ENV:Envelope>
DevAngelDevAngel

Hi rrr,

What is the url that you are getting this response from?
rrrrrr
This is the response from the login request to this url:

https://www.salesforce.com/services/Soap/u/2.5
DevAngelDevAngel

Hi rrr,

Are you still getting that error response?
rrrrrr

Yes, we still get the same error.
SergeantAgniSergeantAgni

I've upgraded to the latest Java SDK and no longer see the problem.

Thanks

--Brad
domdom

As noted by many people on this thread, simply upgrading your JDK version resolves this issue.

I did however, have a machine where I wanted to preserve the current JDK version and simply upgrade the certificate store.

To add further complications, there were multiple versions of the JDK on this machine.

After following the directions as per the link - http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57436 - I was still getting the "SSLHandshakeException: Could Not find Trusted Certificate." error.

The problem turned out be resolved when I explicitly pointed to the appropriate JDK version, AND I also had to point to the appropriate certificate store via a command line swich.

If it helps anyone out, who might want to patch an existing JDK,  I have included the contents of a batch file I wrote to perform this process. You'll also note at the bottom of the script, I have included the command line parameters I had to include to make stop the error occurring.

You'll obviously have to change JDK versions and paths to match your environment.

Hope this helps,

Dom

@echo off

echo "This follows the procedure as defined in http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57436"
echo "This batch file assumes that you have downloaded and unzipped the certificates."
echo "unzip them to d:\spool\install\Verisign"
c:
cd \j2sdk1.4.1_02\jre\lib\security
echo "make sure you have made a backup copy of c:\j2sdk1.4.1_02\jre\lib\security\cacerts!!!
rem copy cacerts cacerts.bak
pause

rem echo "about to delete existing certificates"
rem c:\j2sdk1.4.1_02\bin\keytool -delete -alias verisignclass2ca2028 -keystore .\cacerts -storepass changeit
rem c:\j2sdk1.4.1_02\bin\keytool -delete -alias verisignclass3ca2028 -keystore .\cacerts -storepass changeit
rem pause

d:
cd \spool\install\Verisign
echo "about to import new certificates

c:\j2sdk1.4.1_02\bin\keytool -import -v -keystore C:\j2sdk1.4.1_02/jre/lib/security/cacerts -storepass changeit -alias verisignclass2ca2028 -file "./VeriSign - Thawte Combined Roots/VeriSign_Roots/PCA2ss_v4.509
c:\j2sdk1.4.1_02\bin\keytool -import -v -keystore C:\j2sdk1.4.1_02\jre/lib/security/cacerts -storepass changeit -alias verisignclass3ca2028  -file "./VeriSign - Thawte Combined Roots/VeriSign_Roots/PCA3ss_v4.509
pause


echo "about to save a verbose certificate listing to c:\j2sdk1.4.1_02\jre\lib\security\certificates.txt"
c:
cd \j2sdk1.4.1_02\jre\lib\security
c:\j2sdk1.4.1_02\bin\keytool -list -v -keystore .\cacerts -storepass changeit > certificates.txt

echo "to this this, simply run the SFDC quickstart and prove that the login method works"
echo "if these new certificates are not recognised you may need to explicitly point to this keystore via a command line paramater"
echo "eg. java -version:1.4.1_02 -Djavax.net.ssl.trustStore=C:\j2sdk1.4.1_02\jre\lib\security\cacerts"
pause


 
eyewelleyewell

This thread has been answered by a bunch of people saying you have to upgrade to the latest JRE.

True.

However, even after doing this, I kept getting the No certificate found error.

One additional problem I had was that JBuilder was still pointing to the old JRE. I had to go into Project->Project Properties, and

1) add the new JDK path to the list of options available

2) change the JDK path to point to that newly added path.

Of course, if I had just read the instructions in the sforce release notes, I wouldn't have tripped over this for so long.

RTFM I guess.