+ Start a Discussion
BigGeoBigGeo 

Certificate Exception when connecting to Web Service in Apex

Hi all,

When connecting to an external web service importing the WSDL in Apex, I get the error:

"uncaught exception: {faultcode:'soapenv:Client', faultstring:'System.CalloutException: IO Exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

The problem is that the certificate of the site server is not totally valid or not widely recognized. The web service belongs to the Tax Department of the Government of Argentina, and they approve their own SSL certificates. To emit electronic invoicing in Argentina, you have to approve each invoice sending it to the web service and you get a response with an authorization number which has to be included in the invoice.

Furthermore, I need also to access another web service that is only for testing purpose and it has the same issue.

Apart from Salesforce Apex Code, this exception also happens in .NET and Java, but these environments have their own ways to bypass the exception (import and install the certificate in the local machine, parameters to accept the ssl connection anyway, and so on...).
In Salesforce Apex documentation, I only found the "Remote Site Settings" option (Setup-Security Options) where the security protocol can be disable, but the exception occurs the same.

Please if someone know if there is a way to force the connection between Salesforce and the web service. I also wonder how tests of connection between Salesforce and not full deployed web services (with own signed or no valid certificates yet) should be performed.

Thanks in advance!
David VPDavid VP
We've got the exact same issue over here.

I suppose that there's no solution (other than buying a Verisign or other certificate for every staging or development server you need to test on ...) ?
It would be nice if for example in the developer environments we could add our own trusted custom Certificate Authorities so we could use our self-signed certificates for testing/staging.


If anyone has an idea on how to use SSL webservice callouts in staging environments, I'd be interested to hear it.


David
Imran MohammedImran Mohammed

How did you resolve this certificate issue?

Can you share what you have done?

David VPDavid VP

Wow,

You're reviving a really old thread here.

 

If I were you I'd start a new one on the topic.

 

For your info : at the time we just got Verisign certs and worked with those.

Imran MohammedImran Mohammed

Thanks for the response.

Looks like i need to take the same path as you did.

For now, i think there is no other way except that.

 

Anyway, thanks a lot.

BigGeoBigGeo

I'm sorry Imran, but at that time I could never solve this issue in Apex.

 

We just developed a middleware solution in .NET that connects to the web service using the (custom?) SSL certificate, sends the info signed and saves back the response number to Salesforce.

 

I wasn't totally satisfied with this approach, as it needed resources (server, support and maintenance) from our customer contrary to the No-Software slogan of Salesforce, but also the required functionality was rather complex and we also got very little support from the government agency itself, so it was more than justified.

 

We didn't have to face this type of functionality again in the solutions we developed, so I know Salesforce improved managing certificates and digital signatures, but I don't know if it is already capable of connecting to 'unsupported' web services.

 

I hope you get more feedback on this subject and I'll follow your post for sure if you create a new topic.

 

Regards,

George

Edward RossEdward Ross

We have the same issue, with a valid signed certificate.  Surely there must be a way to register the certificate with Salesforce as valid?