Raspbian - Java Exception : PKIX path validation failed

Support for Ubuntu and other Desktop Linux distributions
Post Reply
kheo
Posts: 3
Joined: 20 May 2016, 08:56

Raspbian - Java Exception : PKIX path validation failed

Post by kheo »

I'm trying to run FileBot v4.7 (portable version) on my Raspberry PI3 running Raspbian Jessie, and it always fails like this :

PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed

Code: Select all

$filebot -script fn:configure
Fetch failed: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
        at net.filebot.web.WebRequest.fetch(WebRequest.java:138)
        at net.filebot.CachedResource.lambda$fetchIfModified$8(CachedResource.java:186)
        at net.filebot.CachedResource$$Lambda$9/24030126.fetch(Unknown Source)
        at net.filebot.CachedResource.lambda$null$0(CachedResource.java:83)
        at net.filebot.CachedResource$$Lambda$14/31150277.call(Unknown Source)
        at net.filebot.CachedResource.retry(CachedResource.java:112)
        at net.filebot.CachedResource.lambda$get$1(CachedResource.java:83)
        at net.filebot.CachedResource$$Lambda$13/11669778.apply(Unknown Source)
        at net.filebot.Cache.computeIf(Cache.java:85)
        at net.filebot.CachedResource.get(CachedResource.java:78)
        at net.filebot.MemoizedResource.get(Resource.java:36)
        at net.filebot.cli.ScriptBundle.getScript(ScriptBundle.java:34)
        at net.filebot.cli.ScriptShell.runScript(ScriptShell.java:72)
        at net.filebot.cli.ArgumentProcessor.runScript(ArgumentProcessor.java:114)
        at net.filebot.cli.ArgumentProcessor.run(ArgumentProcessor.java:29)
        at net.filebot.Main.main(Main.java:120)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
        at net.filebot.web.WebRequest.fetch(WebRequest.java:135)
        ... 15 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
        ... 16 more
Caused by: java.security.cert.CertPathValidatorException: signature check failed
        ... 16 more
Caused by: java.security.SignatureException: Signature does not match.
        ... 16 more
Failure (°_°)
I rely on OpenJDK-8 (headless)

Code: Select all

$ java -version
openjdk version "1.8.0_40-internal"
OpenJDK Runtime Environment (build 1.8.0_40-internal-b04)
OpenJDK Zero VM (build 25.40-b08, interpreted mode)
I tried to update to latest HEAD version with update script, however the behavior is still the same.
I'm able to open the GUI, able to display CLI help message, but as soon as the application needs to connect to a remote server through SSL, this exception is raised (from GUI or CLI).

Any idea or hint on how to solve this ?

I found many issues on google about PKIX path validation failed
but not so much dealing with the signature check failed

Kheo
User avatar
rednoah
The Source
Posts: 22923
Joined: 16 Nov 2011, 08:59
Location: Taipei
Contact:

Re: Raspbian - Java Exception : PKIX path validation failed

Post by rednoah »

1.
I've never seen this error message. This is a generic issue though, not about FileBot specifically. Have you tried googling for the error message?

2.
This looks a bit fishy though:

Code: Select all

OpenJDK Runtime Environment (build 1.8.0_40-internal-b04)
Use the latest stable JDK. Don't use unofficial / internal builds. ;)
:idea: Please read the FAQ and How to Request Help.
kheo
Posts: 3
Joined: 20 May 2016, 08:56

Re: Raspbian - Java Exception : PKIX path validation failed

Post by kheo »

rednoah wrote:This is a generic issue, not about FileBot specifically. Have you tried googling for the error message?
I do realize that this is a generic issue, and I did googled it.
But as I mentioned in my post I did not found so much about the "signature check failed". Many post about the PKIX but not related to my problem.

I created this post in case of someone already met this issue, and for any other person that might face it.
User avatar
rednoah
The Source
Posts: 22923
Joined: 16 Nov 2011, 08:59
Location: Taipei
Contact:

Re: Raspbian - Java Exception : PKIX path validation failed

Post by rednoah »

1.
Use the latest stable JDK. Don't use unofficial / internal builds.
Have you tried the latest JDK? 1.8.0_91 or higher.

2.
You could try the OracleJDK if OpenJDK doesn't work:
http://www.oracle.com/technetwork/java/ ... index.html
:idea: Please read the FAQ and How to Request Help.
kheo
Posts: 3
Joined: 20 May 2016, 08:56

Re: Raspbian - Java Exception : PKIX path validation failed

Post by kheo »

rednoah wrote:1.
Use the latest stable JDK. Don't use unofficial / internal builds.
Have you tried the latest JDK? 1.8.0_91 or higher.
You were right, it was related to OpenJDK. I installed Oracle JDK8 for arm and it works smoothly :)

Thanks.
User avatar
rednoah
The Source
Posts: 22923
Joined: 16 Nov 2011, 08:59
Location: Taipei
Contact:

Re: Raspbian - Java Exception : PKIX path validation failed

Post by rednoah »

Damn. On ARM you really don't wanna use OpenJDK. On my armv7 device the Oracle JRE like 10x faster because OpenJDK doesn't enable JIT by default on ARM devices.
:idea: Please read the FAQ and How to Request Help.
devster
Posts: 417
Joined: 06 Jun 2017, 22:56

Re: Raspbian - Java Exception : PKIX path validation failed

Post by devster »

I recently stumbled on a similar issue on my Raspberry Pi 3, with Debian Jessie. Here the output of sysinfo.

Code: Select all

$ filebot -script fn:sysinfo
FileBot 4.7.11 (r5152)
JNA Native: 5.1.0
MediaInfo: 0.7.73
7-Zip-JBinding: 9.20
Chromaprint: 1.4.2
Extended Attributes: OK
Unicode Filesystem: OK
Script Bundle: 2017-05-15 (r500)
Groovy: 2.4.10
JRE: Java(TM) SE Runtime Environment 1.8.0_65
JVM: 32-bit Java HotSpot(TM) Client VM
CPU/MEM: 4 Core / 224 MB Max Memory / 11 MB Used Memory
OS: Linux (arm)
Package: DEB
uname: Linux rpi3 4.9.24-v7+ #993 SMP Wed Apr 26 18:01:23 BST 2017 armv7l GNU/Linux
Done ヾ(@⌒ー⌒@)ノ
I'm using the Oracle Java package, which is available for the Pi.

Code: Select all

$ sudo apt install oracle-java8-jdk ca-certificates-java
The latest version seems to be 8u65, which, despite installing the correct certificates packages, seems to still be missing some, in particular (I'm guessing) that the LetsEncrypt chain.
This is what I did to try and solve it:

Code: Select all

$ filebot -script fn:sysenv | grep -i home
$ export JAVA_HOME=/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre # the path on the RPi 3
$ sudo keytool \
	-trustcacerts \
	-keystore $JAVA_HOME/lib/security/cacerts \
	-storepass changeit \ # to be changed with the actual password
	-noprompt \
	-importcert \
	-file /etc/letsencrypt/live/example.com/chain.pem
I only work in black and sometimes very, very dark grey. (Batman)
Post Reply