How to Handle the SSL(HTTPs) Certification Path Exception in Android Applications?
If you haven’t been stung by the below-mentioned exception when running a Java program created by you on your system that connects to an SSL server (HTTPS), be prepared for a bad experience at some time in your development career.
Exception: PKIX path construction failed: sun.security.provider.certpath.SunCertPathBuilder Exception: No valid certification path to the specified target could be found.Want a more fast-paced & competitive environment to learn the fundamentals of Android?Click here to head to a guide uniquely curated by our experts with the aim to make you industry ready in no time!
To contextualize the aforementioned issue, We want to highlight a few scenarios in which you may create a Java application other than Android, Tomcat Server, and JavaFX.
- When developing a bot for a product or company.
- An Android app that requires data from the server to be retrieved and placed in the assets folder for each build.
- Creating a file parser for your needs.
- I’m working on ComputerVision projects.
- I’m working on machine learning projects.
- Making a Java library
GeekTip: If a Java program attempts to connect to a server protected by SSL (HTTPS sites), the above-mentioned exception may occur.
A server that utilizes SSL for identification and encryption delivers a certificate that has been validated by a trustworthy third party such as Verisign, GoDaddy, and a few others. A browser or java client can use this certificate to ensure that they are communicating with the correct site (who it claims to be) and not a redirected proxy site. If we approach a site using a browser, this phase is very obvious since if the SSL certificate is not in the browser’s trusted store, it will prompt us to add it and it will be added. However, when we use a Java program to access a secure site, this stage of the SSL handshake is not visible to the user.
Where are the certificates Validated?
The certificates are validated using JRE’s trustStore. This trustStore is situated in the JDK installation directory, which is referenced to by JAVA HOME ($JAVA HOME/jre/lib/security), and is frequently referred to as “cacerts.” If the certificate given by a secure site is present on JRE’s trustStore, an SSL connection will be created; however, if the certificate is not present, Java will throw an exception (described above), and we will need to add that certificate to trustStore to resolve the issue.
GeekTip: This issue is more frequent on servers that utilize the “Let’s Encrypt” SSL certificate. However, because we are open source enthusiasts, we will utilize it, as well because it is free.
This program attempts to use OkHttp to make an API call to https://httpbin.org/get URL (httpbin is an open-source project) and then parses the return JSON into Java POJO model class objects using Gson. I created a JsonParserclass to make parsing simple and general. Now that we’ve established the scenario under which this problem might occur in a Java application, let’s look at how to solve it. As previously stated, the SSL certificate for that site must be added to the JRE’s trustStore. To add the SSL certificate to the JRE’s trustStore, follow the procedures outlined below.
Step #1: Obtain the site’s SSL certificate
The first step is to obtain the site’s SSL certificate. To do so, launch the terminal and navigate to the location where the certificate will be kept. The certificate was stored in the Desktop directory.
openssl s_client -connect <site-url>:443 -servername <site-url> > <saved-certificate-file-name-we-want-to-give>
To quit, press ctrl + z after the command. View the contents of the file in any text editor (such as sublime). It will include the name of the issuing authority, keys, the encryption technique, and other information.
Step #2: Now we place the certificate, i.e. the cacerts, in the keystore. Run the command below to accomplish this
sudo keytool -import -keystore cacerts -alias <alias-name> -file <certificate-file-path>
It will ask you for your password twice, once for sudo and once for the keystore. The keystore’s default password is “changeit.”
Note: If prompted for a new password after entering the “changeit,” use the same “changeit” or change the password and remember it for the future.
Following this command, it will validate the certificate and then prompt you for confirmation. When prompted to “trust this certificate,” enter “y.” Finally, it will output “Certificate was uploaded to keystore.”