javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExcept

Support for Ubuntu and other Desktop Linux distributions
Post Reply
alteredstate
Posts: 6
Joined: 14 Sep 2012, 23:15

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExcept

Post by alteredstate »

Hello everyone!

Currently using FileBot 4.8.5 (r6224) / OpenJDK Runtime Environment 11.0.6 / Linux 4.15.0-88-generic (amd64) on Ubuntu 18.04.4 LTS and it has been working great for quite some time but just today experienced this:

Code: Select all

Fetch failed: Try again in 5 seconds (2 more) => javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Fetch failed: Try again in 10 seconds (1 more) => javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Fetch failed: https://api.themoviedb.org/3/movie/4256?language=en-US&api_key=1bb965af6888496c30d52a27e831f9c9
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at net.filebot.web.WebRequest.fetch(WebRequest.java:142)
        at net.filebot.CachedResource.lambda$fetchIfNoneMatch$13(CachedResource.java:247)
        at net.filebot.CachedResource.lambda$withPermit$16(CachedResource.java:276)
        at net.filebot.CachedResource.lambda$get$0(CachedResource.java:87)
        at net.filebot.CachedResource.retry(CachedResource.java:121)
        at net.filebot.CachedResource.retry(CachedResource.java:133)
        at net.filebot.CachedResource.retry(CachedResource.java:133)
        at net.filebot.CachedResource.lambda$get$1(CachedResource.java:87)
        at net.filebot.Cache.computeIf(Cache.java:90)
        at net.filebot.CachedResource.get(CachedResource.java:82)
        at net.filebot.web.TMDbClient.request(TMDbClient.java:391)
        at net.filebot.web.TMDbClient.getMovieInfo(TMDbClient.java:191)
        at net.filebot.web.TMDbClient.getMovieInfo(TMDbClient.java:180)
        at net.filebot.web.TMDbClient.getMovieDescriptor(TMDbClient.java:164)
        at net.filebot.media.MediaDetection.getLocalizedMovie(MediaDetection.java:725)
        at net.filebot.cli.CmdlineOperations.renameMovie(CmdlineOperations.java:451)
        at net.filebot.cli.CmdlineOperations.rename(CmdlineOperations.java:92)
        at net.filebot.cli.ScriptShellBaseClass.rename(ScriptShellBaseClass.java:362)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at Script1$_run_closure56.doCall(Script1.groovy:387)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at Script1.run(Script1.groovy:349)
        at net.filebot.cli.ScriptShell.evaluate(ScriptShell.java:64)
        at net.filebot.cli.ScriptShell.runScript(ScriptShell.java:74)
        at net.filebot.cli.ArgumentProcessor.runScript(ArgumentProcessor.java:163)
        at net.filebot.cli.ArgumentProcessor.run(ArgumentProcessor.java:37)
        at net.filebot.Main.main(Main.java:132)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at net.filebot.web.WebRequest.fetch(WebRequest.java:139)
        ... 30 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        ... 31 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        ... 31 more

Failed to retrieve localized movie data
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at net.filebot.web.WebRequest.fetch(WebRequest.java:142)
        at net.filebot.CachedResource.lambda$fetchIfNoneMatch$13(CachedResource.java:247)
        at net.filebot.CachedResource.lambda$withPermit$16(CachedResource.java:276)
        at net.filebot.CachedResource.lambda$get$0(CachedResource.java:87)
        at net.filebot.CachedResource.retry(CachedResource.java:121)
        at net.filebot.CachedResource.retry(CachedResource.java:133)
        at net.filebot.CachedResource.retry(CachedResource.java:133)
        at net.filebot.CachedResource.lambda$get$1(CachedResource.java:87)
        at net.filebot.Cache.computeIf(Cache.java:90)
        at net.filebot.CachedResource.get(CachedResource.java:82)
        at net.filebot.web.TMDbClient.request(TMDbClient.java:391)
        at net.filebot.web.TMDbClient.getMovieInfo(TMDbClient.java:191)
        at net.filebot.web.TMDbClient.getMovieInfo(TMDbClient.java:180)
        at net.filebot.web.TMDbClient.getMovieDescriptor(TMDbClient.java:164)
        at net.filebot.media.MediaDetection.getLocalizedMovie(MediaDetection.java:725)
        at net.filebot.cli.CmdlineOperations.renameMovie(CmdlineOperations.java:451)
        at net.filebot.cli.CmdlineOperations.rename(CmdlineOperations.java:92)
        at net.filebot.cli.ScriptShellBaseClass.rename(ScriptShellBaseClass.java:362)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at Script1$_run_closure56.doCall(Script1.groovy:387)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at Script1.run(Script1.groovy:349)
        at net.filebot.cli.ScriptShell.evaluate(ScriptShell.java:64)
        at net.filebot.cli.ScriptShell.runScript(ScriptShell.java:74)
        at net.filebot.cli.ArgumentProcessor.runScript(ArgumentProcessor.java:163)
        at net.filebot.cli.ArgumentProcessor.run(ArgumentProcessor.java:37)
        at net.filebot.Main.main(Main.java:132)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at net.filebot.web.WebRequest.fetch(WebRequest.java:139)
        ... 30 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        ... 31 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        ... 31 more

CmdlineException: Failed to identify or process any files
Finished without processing any files
Abort (×_×)
I thought it was the The Movie Database API cert causing this so I downloaded both: themoviedb-org-chain.pem and themoviedb-org.pem and executed the following:

Code: Select all

sudo keytool -import -trustcacerts -alias debian:themoviedb-org-chain.pem -keystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -file ./themoviedb-org-chain.pem

Code: Select all

sudo keytool -import -trustcacerts -alias debian:themoviedb-org.pem -keystore /usr/lib/jvm/java-11-openjdkamd64/lib/security/cacerts -file ./themoviedb-org.pem
but I'm still experiencing the issue. Any ideas on how to correct this?
User avatar
rednoah
The Source
Posts: 22923
Joined: 16 Nov 2011, 08:59
Location: Taipei
Contact:

Re: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExc

Post by rednoah »

Sorry, no idea. Oddly enough, these things sometimes resolve themselves for reasons unknown. If api.themoviedb.org worked in the past, and suddenly stopped working for no reason, then it might work again in the future.


:idea: You could check Stackoverflow for advice on how to debug SSL handshake issues, enable additional logging, perhaps see exactly where things go awry. You'd need a deep technical understanding of SSL though to further debug this. It's above my pay grade.
:idea: Please read the FAQ and How to Request Help.
alteredstate
Posts: 6
Joined: 14 Sep 2012, 23:15

Re: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExc

Post by alteredstate »

rednoah wrote: 13 Mar 2020, 07:06 Sorry, no idea. Oddly enough, these things sometimes resolve themselves for reasons unknown. If api.themoviedb.org worked in the past, and suddenly stopped working for no reason, then it might work again in the future.


:idea: You could check Stackoverflow for advice on how to debug SSL handshake issues, enable additional logging, perhaps see exactly where things go awry. You'd need a deep technical understanding of SSL though to further debug this. It's above my pay grade.
What version of Open-JDK is recommended for FileBox 4.8.5 (r6224), could I upgrade to Open-JDK 12, 13 or 14? Or is something else recommended?
User avatar
rednoah
The Source
Posts: 22923
Joined: 16 Nov 2011, 08:59
Location: Taipei
Contact:

Re: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExc

Post by rednoah »

alteredstate wrote: 17 Mar 2020, 18:13 What version of Open-JDK is recommended for FileBox 4.8.5 (r6224), could I upgrade to Open-JDK 12, 13 or 14? Or is something else recommended?
Typically, the latest and greatest. Java 13.0.2 at the time of writing.
:idea: Please read the FAQ and How to Request Help.
alteredstate
Posts: 6
Joined: 14 Sep 2012, 23:15

Re: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExc

Post by alteredstate »

rednoah wrote: 18 Mar 2020, 06:49
alteredstate wrote: 17 Mar 2020, 18:13 What version of Open-JDK is recommended for FileBox 4.8.5 (r6224), could I upgrade to Open-JDK 12, 13 or 14? Or is something else recommended?
Typically, the latest and greatest. Java 13.0.2 at the time of writing.
Dohhh! This is my mistake, OpenDNS was filtering it due to incorrect categorization:

I was suspicious when I executed:

Code: Select all

openssl s_client -showcerts -connect api.themoviedb.org:443
and saw

Code: Select all

depth=2 C = US, ST = California, L = San Francisco, O = Cisco, CN = Cisco Umbrella Primary SubCA
verify error:num=20:unable to get local issuer certificate
CONNECTED(00000005)
---
Certificate chain
 0 s:C = US, ST = California, L = San Francisco, O = "OpenDNS, Inc.", CN = api.themoviedb.org
   i:O = Cisco, CN = Cisco Umbrella Secondary SubCA ash-SG
I added: themoviedb.org to my OpenDNS exception list and that fixed it! This must have been a recent change in OpenDNS as it has worked great for a few years now.
Post Reply