Forum Discussion

Yazid_Abdesslam's avatar
Yazid_Abdesslam
Icon for Nimbostratus rankNimbostratus
Feb 01, 2017

Certificate Issue : unable to find valid certification path to requested target

Hello,

 

We deployed a staging e-payment application, using a Virtual Server with these properties : port : https protocol profile : mptcp-mobile-optimized HTTP Profile : XFF SSL Profile : 2 certificates - The issued certificate & a second certificate with Default SSL Profile for SNI

 

SNAT Pool : ip in the same subnet as nodes. Pool : 2 pool members with port 7010 I'm using public certificates (signed by CA Verisign G5 & CA Symantec G4)

 

the web page is displayed correctly, & SSL checks says all is ok (tested with "; & ";)

 

the actual issue is that transaction doesn't pass over https (in http it works fine)

 

here's the error message relived from client side : -An exception occured in HTTPProcess sendMessage. Exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. - doPost exception encountered. Exception: java.lang.NullPointerException.

 

can you support us please?

 

application delivery
BIG-IP
client ssl profile
default ssl profile for sni
handshake
http and https
security
ssl offload
WebSafe
  • Yazid_Abdesslam's avatar
    Yazid_Abdesslam
    Icon for Nimbostratus rankNimbostratus
    Feb 01, 2017

    both of CA's are installed in Client side. Displayed Error bellow :

     

    I don't exactly understand what's wrong with Certificate. how can I do to get some traces about the error or where can I find it in logs.

     

    regards,

     

  • Stefan_Klotz's avatar
    Stefan_Klotz
    Icon for Cumulonimbus rankCumulonimbus
    Feb 01, 2017

    Hi Yazid,

     

    I made a quick test with sslchecker.com and it says that the Root CA is missing. Please try to adjust your chain and include the GeoTrust Global CA as well. If your client then still throughs an error, please verify the clients trust store and maybe install the required GeoTrust Global CA.

     

    Ciao Stefan :)

     

  • mikegray_198028's avatar
    mikegray_198028
    Icon for Cirrus rankCirrus
    Feb 02, 2017

    Hello,

     

    This is due to missing root and intermediate chain in the java/similar key store. you need to import the Symantec/Verisigin certificates, we faced the same issue last week and fixed it by importing complete root and intermediate chain

     

    • Yazid_Abdesslam's avatar
      Yazid_Abdesslam
      Icon for Nimbostratus rankNimbostratus
      Feb 02, 2017

      Hello mikegray & thank you for answer, Import where? if you mean in BigIP, it's already in. I Also have a question, what should I put in the Chain case, into client ssl profile.

       

      actually I used to fill only Certficate & Key cases.

       

      kindest regards,