Java can't start a saucelabs session due to error: PKIX path building failed Follow

Avatar
Max Dobeck
  • Updated

Does this appear in your Java stack trace while trying to start a test with Sauce Labs?

 

javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target

 

Confirm this is your issue:

 

Add this flag to the Java VM from the command line or your IDE while running or debugging.

 

-Djavax.net.debug=ssl
  • Are you using a Java framework or library?

  • Are you making an HTTPS call or attempting to start a test session on Sauce Labs?

  • Are you using SSL/TLS certificates to make some sort of network call?

 

Solution

 

You have several options. Choose one of the below.

  1. If you're on Windows add this flag ( -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT )to your Java VM while running or debugging your program. This will force Java to use your operating system's truststore.

  2. Upgrade your Java installation to a later version. A new installation is bundled with a more up-to-date truststore

  3. Use Java's keytool to import the Root CA for the Sauce Labs certificate. 
    1. Go here (https://www.digicert.com/kb/digicert-root-certificates.htm)
    2. search for " DigiCert Global Root G2"
    3. download the PEM file
    4. Then use keytool to import the .pem file. See this doc for an example https://docs.oracle.com/javase/tutorial/security/toolsign/rstep2.html

 

Why?

 

You're seeing this because Java is trying to use its own custom (most likely outdated) trust store.  Java requires that you maintain your own truststore (aka SSL keychain, Root CA store, CA cert directory)

 

From the Java Reference Guide Note: The JDK ships with a limited number of trusted root certificates in the java-home/lib/security/cacerts file. As documented in keytool reference pages, it is your responsibility to maintain (that is, add and remove) the certificates contained in this file if you use this file as a truststore.

 

If you are using a Java framework or library you may have a problem when making any HTTPS calls. Like when making a Remote Webdriver request. Java has requires the user to manage a standalone Java truststore, wholly separate from the Operating System SSL truststore.

 

SSL certificates (aka a truststore) are typically managed by the Operating System. Other languages like JavaScript or Ruby defer to the local trust store when making HTTPS calls. Other languages and tests may be able to use Sauce Labs without a problem.

 

 

Solutions

Platform

Resources

Company

© 2019 Sauce Labs Inc., all rights reserved. SAUCE and SAUCE LABS are registered trademarks owned by Sauce Labs Inc. in the United States, EU, and may be registered in other jurisdictions.