Camunda PKIX ERROR : Not able access External Camunda Engine on https protocol

Hi,

I am trying to develop camunda application which has 2 seperate parts.
1.Camunda Engine running seperately on https://10.17.36.144:8443/
2. Spring boot application where external tasks are defined
```

@Component
@ExternalTaskSubscription(“checkDeviceStatus”)
@Slf4j
public class TaskDeviceStatus implements ExternalTaskHandler

**Am getting the below PKIX error when my spring boot application tries to connect to external camunda engine .**

2024-01-17 15:12:31,368 ERROR [TopicSubscriptionManager] org.camunda.bpm.client.impl.ExternalTaskClientLogger: TASK/CLIENT-03001 Exception while fetch and lock task.
org.camunda.bpm.client.impl.EngineClientException: TASK/CLIENT-02002 Exception while establishing connection for request 'POST https://10.17.36.144:8443/engine-rest/external-task/fetchAndLock HTTP/1.1'
	at org.camunda.bpm.client.impl.EngineClientLogger.exceptionWhileEstablishingConnection(EngineClientLogger.java:36)
	at org.camunda.bpm.client.impl.RequestExecutor.executeRequest(RequestExecutor.java:101)
	at org.camunda.bpm.client.impl.RequestExecutor.postRequest(RequestExecutor.java:74)
	at org.camunda.bpm.client.impl.EngineClient.fetchAndLock(EngineClient.java:83)
	at org.camunda.bpm.client.topic.impl.TopicSubscriptionManager.fetchAndLock(TopicSubscriptionManager.java:135)
	at org.camunda.bpm.client.topic.impl.TopicSubscriptionManager.acquire(TopicSubscriptionManager.java:101)
	at org.camunda.bpm.client.topic.impl.TopicSubscriptionManager.run(TopicSubscriptionManager.java:87)
	at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:360)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:303)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:298)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1511)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:456)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:427)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:221)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:165)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:140)
	at org.camunda.bpm.client.impl.RequestExecutor.executeRequest(RequestExecutor.java:88)
	... 6 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
	at java.base/sun.security.validator.Validator.validate(Validator.java:264)
	at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341)
	... 32 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
	at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
	... 38 common frames omitted

**Can any one tell me how to resolve this?**

This will help you to fix the cert issue.

Hi @cpbpm ,

Thank you for your reply. May be in standalone mode (local) it will work by placing the required certs in jdk folder.

Do you have any solution to fix it in pod(containerisation)?

@Ingo_Richtsmeier @Niall any solution do we have?

Are you able to fetch and lock tasks directly through the rest api?

@Niall I haven’t tried that . Nor am touching any internal logic of Camunda

It’s a good idea to validate that you’re able to reach the REST API…
The issue could be that there’s a problem with how the REST API has been exposed. It’s not internal logic its just the way that the external task talks to the engine. If you’re not able to reach the rest from postman or something then you know the issue is with how the engine is setup.

This looks like a ssl certificate validation error. If you are calling https://10.17.36.144:8443/ that means you are calling it by IP address and not hostname. Java is detecting it as security threat.
Either you must setup proper SSL certs via a well known CA which is already trusted by Java OR you have to use self signed/internal CA issued certs to Java ca trust store.
The steps will depend on Java version and your ssl setup.

Hi @Niall

As per you suggestion ,I tried from postman. Its returning 200 as response .Attaching the response below

image983×630 36.3 KB

This validates that the issues with the code you have making the request. and i think that @ad_sahota spotted the security issue in the logs, so i think that should be your next point to investigate.

Thank you @ad_sahota @Niall @cpbpm ,

1. option for local setup - import certificates at local jdk folder(\lib\security\cacerts) as pointed by @cpbpm
2. For docker, see the sample snippet below. Make sure to keep your certificate in the same folder as Dockerfile

FROM maven:3.8.2-openjdk-11-slim
WORKDIR /app/camunda
#.crt file in the same folder as your Dockerfile
ARG CERT="cert.crt"

COPY $CERT /app/camunda
COPY . .
RUN keytool -importcert -file $CERT -alias $CERT -cacerts -storepass changeit -noprompt
...

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.