On April 24, 2018 SauceLabs OPS deployed a new SSL certificate for its OnDemand service:
The reasons for the new certificate were two-fold:
- The original certificate was about to expire.
- The original certificate was issued by GeoTrust CA, which is no longer widely trusted and it was imperative to move away from this CA.
All browsers and up-to-date non-browser clients recognized this new certificate, and its deployment was transparent and without negative impact. However, some older non-browser clients (e.g. JDK) had connectivity issues with Sauce because the new root certificate was not in their trust store.
When running tests using an affected client, the attempt to connect to ondemand.saucelabs.com:443 will throw this exception:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
To correct the problem, the trust store used by the client needs to contain the Digicert Global Root G2 root certificate.
There are several options if you run into this problem. All three mean that the client's trust store needs to be updated to the latest root certificates.
Option 1: Upgrade the JDK version on affected machines
Update the JDK version to the latest minor version (e.g. JDK 8u172 for Java 8). This will update the trust stores automatically and include desired certificates. Most customers will find this to be simplest option.
Option 2: Add the DigiCert CA cert manually to the Java Trust Store
Install the Digicert Global Root G2 cert (root cert) to ensure a successful handshake with Sauce's ondemand service. Certificates can be found here and installation notes can be found here.
Option 3: Update the JDK version on one machine and then copy the JDK trust store certs from that machine onto the other affected machines.
This method is explained in detail here.
If none of these options help, it is likely that you are using a custom trust store. You can find out what trust store is used by running a test with
-Djavax.net.debug="ssl,handshake" which will print out which trust stores are in use. Once that is known, adding the DigiCert cert to that trust store will fix the issue. Alternatively, you could move from the custom trust store in favor of the default one.