okta
PKIX error when running okta start and selecting any option
I am running OpenJDK 11 on Mac OS 10.15.7. When I run okta start and select any number to download it fails with a PKIX error. I would really like to use the tool, but I can't get off first base. What URL is it trying to access?
com.okta.commons.http.HttpException: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.okta.commons.http.httpclient.HttpClientRequestExecutor.executeRequest(HttpClientRequestExecutor.java:191) at com.okta.commons.http.RetryRequestExecutor.doExecuteRequest(RetryRequestExecutor.java:147) at com.okta.commons.http.RetryRequestExecutor.executeRequest(RetryRequestExecutor.java:120) at com.okta.sdk.impl.ds.DefaultDataStore.execute(DefaultDataStore.java:443) at com.okta.sdk.impl.ds.DefaultDataStore.lambda$getResourceData$1(DefaultDataStore.java:196) at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:47) at com.okta.sdk.impl.ds.cache.WriteCacheFilter.filter(WriteCacheFilter.java:34) at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:52) at com.okta.sdk.impl.ds.cache.ReadCacheFilter.filter(ReadCacheFilter.java:42) at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:52) at com.okta.sdk.impl.ds.DefaultDataStore.getResourceData(DefaultDataStore.java:208) at com.okta.sdk.impl.ds.DefaultDataStore.getResource(DefaultDataStore.java:177) at com.okta.sdk.impl.ds.DefaultRequestBuilder.get(DefaultRequestBuilder.java:90) at com.okta.cli.common.service.DefaultAuthorizationServerService.authorizationServersMap(DefaultAuthorizationServerService.java:33) at com.okta.cli.commands.apps.CommonAppsPrompts.getIssuer(CommonAppsPrompts.java:36) at com.okta.cli.commands.Start.runCommand(Start.java:122) at com.okta.cli.commands.BaseCommand.call(BaseCommand.java:41) at com.okta.cli.commands.BaseCommand.call(BaseCommand.java:26) at picocli.CommandLine.executeUserObject(CommandLine.java:1783) at picocli.CommandLine.access$900(CommandLine.java:145) at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2150) at picocli.CommandLine$RunLast.handle(CommandLine.java:2144) at picocli.CommandLine$RunLast.handle(CommandLine.java:2108) at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:1975) at picocli.CommandLine.execute(CommandLine.java:1904) at com.okta.cli.OktaCli.run(OktaCli.java:64) at com.okta.cli.OktaCli.main(OktaCli.java:54) Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alert.createSSLException(Alert.java:131) at sun.security.ssl.TransportContext.fatal(TransportContext.java:349) at sun.security.ssl.TransportContext.fatal(TransportContext.java:292) at sun.security.ssl.TransportContext.fatal(TransportContext.java:287) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:171) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1409) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1315) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) at com.okta.commons.http.httpclient.HttpClientRequestExecutor.executeRequest(HttpClientRequestExecutor.java:186) ... 26 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) at sun.security.validator.Validator.validate(Validator.java:264) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) ... 51 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ... 57 more
Hey @degerlac!
There are a couple of common reasons for seeing this. 1.) You are connecting through some sort of proxy / VPN / network scanner 2.) You have your Okta Org setup with a custom domain and it does NOT have the full certification chain setup
Without any more info I'm going into guess the second, but here is an easy way to test it:
- Go to: https://ssltools.digicert.com/checker/views/checkInstallation.jsp
- Type in your domain for example.
id.example.com - Click on the "Certificate Chain" tab (and check for errors)
If you see errors on this tab, you can correct the problem by following this guide: https://developer.okta.com/docs/guides/custom-url-domain/enable-the-custom-domain/
The "chain" is optional for some clients (for example most browser connections don't need it), but many languages/frameworks (e.g. Java) require the full chain to be installed.
Either way, let me know if this helps, it's possible we could catch this error and provide better instructions, (but I'm just making an educated guess)
Assuming I'm wrong, let me know your Okta Org / URL and I can take a look. If you don't want to put that info in this issue, you can send it to Okta support, and reference this issue, and tell them to pass the info to @bdemers 😉
@bdemers - This is also a problem if the a company uses self-signed certs for things like ZScaler. Is it possible to import a certificate chain into the embedded java truststore the cli is using? Or provide and environment variable like AWS_CA_BUNDLE?
@klongmitre, there are no immediate plans to support self-signed certificates with the Okta CLI.
Ideally, we'd like to see folks using certs with chains, but I understand that isn't always as simple as it sounds. I'll leave this issue open for a bit to see if any other folks are looking for this functionality and we can reconsider it!
I can offer a quick workaround, though, you can grab the Java jar version of the Okta CLI: https://repo1.maven.org/maven2/com/okta/cli/okta-cli/0.10.0/okta-cli-0.10.0.jar
Run it as:
java -jar /path/to/okta-cli-0.10.0.jar
Then configure your JVM with the appropriate keystore.