google-api-java-client
google-api-java-client copied to clipboard
googleapis
SSLHandshakeException occurs during call to authenticate in Google Drive API
Im using the Google Drive API quick start java project which includes google-api-java-client jar library. When i perform the TokenRequest Authorization call in Google Drive i receive SSLHandshakeException. Few forums says to import the certificate to java trusted certificates as a generic solution for SSLHandshakeException. But im not sure how to get a certificate in this case. i mean which url is needed to be launched in a web browser to get the certificate to add in Java trusted certificates. Please help to fix this issue.
SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Environment details
- OS: Windows 10
- Java version: "1.8.0_181" Java(TM) SE Runtime Environment (build 1.8.0_181-b13) Java HotSpot(TM) 64-Bit Server VM (build 25.181-b13, mixed mode)
- google-api-java-client version: google-api-client-1.23.0
External references:
https://stackoverflow.com/questions/39842033/java-quickstart-for-google-sheets-api-crashes-with-pkix-path-building-failed https://developers.google.com/drive/api/v3/quickstart/java
Stacktrace
%% Invalidated: [Session-3, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
SwingWorker-pool-1-thread-1, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
SwingWorker-pool-1-thread-1, WRITE: TLSv1.2 Alert, length = 2
SwingWorker-pool-1-thread-1, called closeSocket()
SwingWorker-pool-1-thread-1, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
SwingWorker-pool-1-thread-1, called close()
SwingWorker-pool-1-thread-1, called closeInternal(true)
2021-05-25 19:41:07.561:INFO::Stopped SocketConnector@localhost:8888
Exception sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Exception [Ljava.lang.StackTraceElement;@256e150c
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
at com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:77)
at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:981)
at com.google.api.client.auth.oauth2.TokenRequest.executeUnparsed(TokenRequest.java:283)
at com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeTokenRequest.execute(GoogleAuthorizationCodeTokenRequest.java:158)
at com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeTokenRequest.execute(GoogleAuthorizationCodeTokenRequest.java:79)
at com.google.api.client.extensions.java6.auth.oauth2.AuthorizationCodeInstalledApp.authorize(AuthorizationCodeInstalledApp.java:84)
at DriveLoginAndUpload.getCredentials(DriveLoginAndUpload.java:152)
at DriveLoginAndUpload.loadGdrive(DriveLoginAndUpload.java:191)
at AutomationAppUI$GetConfluecnePage.doInBackground(AutomationAppUI.java:145)
at AutomationAppUI$GetConfluecnePage.doInBackground(AutomationAppUI.java:1)
at javax.swing.SwingWorker$1.call(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at javax.swing.SwingWorker.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 29 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 35 more
Thanks!
We are running into an issue very similar to this. Our java returns the same error. In our case, the issue is that when the code is run on the server, the initial handshake request to the google server does not include the SNI in the request. This is the Kotlin code we are calling:
// google-api-client v1.31.4
import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeTokenRequest
fun googleTokenResponse(
clientId: String,
clientSecret: String,
authorizationCode: String,
redirectUri: String
): GoogleTokenResponse {
return GoogleAuthorizationCodeTokenRequest(
NetHttpTransport(), GsonFactory(),
clientId, clientSecret,
authorizationCode,
redirectUri
).execute()
}
This is the packet response we get when montoring with Wireshark
0000 30 82 03 7c 30 82 02 64 a0 03 02 01 02 02 09 00 0..|0..d........
0010 90 76 89 18 e9 33 93 a0 30 0d 06 09 2a 86 48 86 .v...3..0...*.H.
0020 f7 0d 01 01 0b 05 00 30 4e 31 31 30 2f 06 03 55 .......0N110/..U
0030 04 0b 0c 28 4e 6f 20 53 4e 49 20 70 72 6f 76 69 ...(No SNI provi
0040 64 65 64 3b 20 70 6c 65 61 73 65 20 66 69 78 20 ded; please fix
0050 79 6f 75 72 20 63 6c 69 65 6e 74 2e 31 19 30 17 your client.1.0.
0060 06 03 55 04 03 13 10 69 6e 76 61 6c 69 64 32 2e ..U....invalid2.
0070 69 6e 76 61 6c 69 64 30 1e 17 0d 31 35 30 31 30 invalid0...15010
0080 31 30 30 30 30 30 30 5a 17 0d 33 30 30 31 30 31 1000000Z..300101
0090 30 30 30 30 30 30 5a 30 4e 31 31 30 2f 06 03 55 000000Z0N110/..U
00a0 04 0b 0c 28 4e 6f 20 53 4e 49 20 70 72 6f 76 69 ...(No SNI provi
00b0 64 65 64 3b 20 70 6c 65 61 73 65 20 66 69 78 20 ded; please fix
00c0 79 6f 75 72 20 63 6c 69 65 6e 74 2e 31 19 30 17 your client.1.0.
00d0 06 03 55 04 03 13 10 69 6e 76 61 6c 69 64 32 2e ..U....invalid2.
00e0 69 6e 76 61 6c 69 64 30 82 01 22 30 0d 06 09 2a invalid0.."0...*
00f0 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 .H.............0
0100 82 01 0a 02 82 01 01 00 cd 62 4f e5 c3 13 84 98 .........bO.....
0110 0c 05 e4 ef 44 a2 a5 ec de 99 71 90 1b 28 35 40 ....D.....q..(5@
0120 b4 d0 4d 9d 18 48 81 28 ad 5f 10 b3 2a db 7d ae ..M..H.(._..*.}.
0130 9d 91 1e 42 e7 ef aa 19 8d d3 4e db 91 0f a7 e4 ...B......N.....
0140 20 32 25 94 fe b9 24 07 4d 18 d7 c3 9a 87 0e 5f 2%...$.M......_
0150 8b cb 3e 2b d7 51 bf a8 be 81 23 a2 bf 68 e5 21 ..>+.Q....#..h.!
0160 e5 bf 4b 48 4e b3 05 14 0c 7d 09 5c 59 04 3c a2 ..KHN....}.\Y.<.
0170 0b ce 99 79 30 be f0 76 9e 64 b7 dd ef 1f 16 bb ...y0..v.d......
0180 1e cc 0e b4 0c 44 cf 65 ad c4 c7 5e ce 6f f7 0a .....D.e...^.o..
0190 03 b7 b2 5b 36 d3 09 77 5b 4d e2 23 e9 02 b7 b1 ...[6..w[M.#....
01a0 f2 be 11 b2 d9 a4 4f 2e 12 5f 78 00 69 42 bd 14 ......O.._x.iB..
01b0 92 ed ea ea 6b 68 9b 2d 9c 80 56 b0 7a 43 7f 5f ....kh.-..V.zC._
01c0 f6 87 f0 a9 27 5f bf 7d 30 f7 2e 5a eb 4c da af ....'_.}0..Z.L..
01d0 3c 9a d5 04 06 cb 99 9b 2d a7 b2 32 bd 27 bf f2 <.......-..2.'..
01e0 86 10 91 0f 33 95 ff 26 3c 73 9f a5 fe ef eb 5a ....3..&<s.....Z
01f0 ec 30 91 9d a5 83 31 a9 e3 10 41 7e 15 dd af af .0....1...A~....
0200 a6 f6 49 b0 58 25 26 f5 02 03 01 00 01 a3 5d 30 ..I.X%&.......]0
0210 5b 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 02 [0...U..........
0220 a4 30 1d 06 03 55 1d 25 04 16 30 14 06 08 2b 06 .0...U.%..0...+.
0230 01 05 05 07 03 01 06 08 2b 06 01 05 05 07 03 02 ........+.......
0240 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 0...U.......0...
0250 ff 30 19 06 03 55 1d 0e 04 12 04 10 bb 0f 38 96 .0...U........8.
0260 6f 3e be 4f 2b 46 d0 41 6a d4 ac b5 30 0d 06 09 o>.O+F.Aj...0...
0270 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 *.H.............
0280 b9 d9 e2 54 5c f5 61 ed 69 f3 b8 63 ed 03 5a 9e ...T\.a.i..c..Z.
0290 2a 81 27 5a 1b 28 33 4b fc 2d 71 13 fe 4b 65 7e *.'Z.(3K.-q..Ke~
02a0 1c 53 82 79 80 e6 79 9f 6a b3 45 a9 36 5a ed c9 .S.y..y.j.E.6Z..
02b0 e0 4a cc 11 fc 84 eb 7d cb c6 94 6d 90 70 d8 cd .J.....}...m.p..
02c0 45 d8 c8 b6 dd 0f 9d 84 01 14 7d 00 8e 29 b2 13 E.........}..)..
02d0 b6 e9 c1 b9 57 c3 4d 36 c0 1d 4b 8d 97 f7 b2 af ....W.M6..K.....
02e0 bf 2f f0 48 22 d7 7d f3 ef 35 60 c9 d5 46 d4 a0 ./.H".}..5`..F..
02f0 34 00 e4 82 07 e0 7a e6 09 5b a7 1f b1 30 2a 60 4.....z..[...0*`
0300 64 bb b1 f5 31 f2 77 08 37 b4 fa 3f 2d f6 1b 44 d...1.w.7..?-..D
0310 2a 1f f8 c6 fc 23 76 42 63 d3 ba 15 f6 46 8e ec *....#vBc....F..
0320 49 9f ed 2e c7 74 83 a2 b6 b7 35 7f c5 98 9f a2 I....t....5.....
0330 91 30 93 b0 cb 48 15 68 47 de 1a 32 60 06 a6 38 .0...H.hG..2`..8
0340 eb 88 4e 93 d9 1c 3e f2 3f 49 5f 6e e9 dc 18 31 ..N...>.?I_n...1
0350 2a 01 0b b6 61 66 d8 c5 18 b1 7e ad 95 4b 18 2f *...af....~..K./
0360 81 66 c5 72 69 20 04 b6 29 13 c8 83 59 3d ca 76 .f.ri ..)...Y=.v
0370 5b a8 d7 ee 8f 1d a0 da 2e 0d 92 69 c3 98 e8 6a [..........i...j
No SNI provided; please fix your client.
Running the same code locally does not have the same issue. The SNI is passed as expected. Not sure if this is a bug in the library or some misconfiguration in our server. Server Info:
NAME="Oracle Linux Server"
VERSION="7.7"
ID="ol"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.7"
PRETTY_NAME="Oracle Linux Server 7.7"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:oracle:linux:7:7:server"
HOME_URL="https://linux.oracle.com/"
BUG_REPORT_URL="https://bugzilla.oracle.com/"
ORACLE_BUGZILLA_PRODUCT="Oracle Linux 7"
ORACLE_BUGZILLA_PRODUCT_VERSION=7.7
ORACLE_SUPPORT_PRODUCT="Oracle Linux"
ORACLE_SUPPORT_PRODUCT_VERSION=7.7
Java Info:
java version "1.8.0_261"
Java(TM) SE Runtime Environment (build 1.8.0_261-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.261-b12, mixed mode)
Any suggestions or recommendations would be greatly appreciated! Our google integrations are dead in the water until we can find a solution for this...
