Error PKIX path building failed

Heiko December 18, 2019

Hello everybody i got this error from my Jira Post function

2019-12-18 10:18:17,985 ERROR [workflow.ScriptWorkflowFunction]: *************************************************************************************
2019-12-18 10:18:18,001 ERROR [workflow.ScriptWorkflowFunction]: Script function failed on issue: BPS-813, actionId: 41, file: <inline script>
com.atlassian.sal.api.net.ResponseException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at com.atlassian.sal.core.net.HttpClientRequest.executeAndReturn(HttpClientRequest.java:110)
	at com.atlassian.plugins.rest.module.jersey.JerseyRequest.executeAndReturn(JerseyRequest.java:131)
	at com.atlassian.plugins.rest.module.jersey.JerseyRequest.execute(JerseyRequest.java:113)
	at com.atlassian.applinks.core.auth.ApplicationLinkRequestAdaptor.execute(ApplicationLinkRequestAdaptor.java:47)
	at com.atlassian.applinks.oauth.auth.OAuthRequest.execute(OAuthRequest.java:71)
	at com.atlassian.sal.api.net.Request$execute$1.call(Unknown Source)
	at Script1224.run(Script1224.groovy:72)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
	at com.atlassian.sal.core.net.HttpClientRequest.executeAndReturn(HttpClientRequest.java:105)
	... 6 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	... 18 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	... 18 more

 This is the code behind the error:

import com.atlassian.applinks.api.ApplicationLink
import com.atlassian.applinks.api.ApplicationLinkService
import com.atlassian.applinks.api.application.confluence.ConfluenceApplicationType
import com.atlassian.jira.issue.Issue
import com.atlassian.sal.api.component.ComponentLocator
import com.atlassian.sal.api.net.Request
import com.atlassian.sal.api.net.Response
import com.atlassian.sal.api.net.ResponseException
import com.atlassian.sal.api.net.ResponseHandler
import groovy.json.JsonBuilder
import groovy.json.JsonSlurper
import com.atlassian.jira.component.ComponentAccessor
import com.atlassian.jira.issue.Issue
import groovy.xml.MarkupBuilder
/**
* Retrieve the primary confluence application link
* @return confluence app link
*/
def ApplicationLink getPrimaryConfluenceLink() {
def applicationLinkService = ComponentLocator.getComponent(ApplicationLinkService.class)
final ApplicationLink conflLink = applicationLinkService.getPrimaryApplicationLink(ConfluenceApplicationType.class)
conflLink
}


def confluenceLink = getPrimaryConfluenceLink()
assert confluenceLink // must have a working app link set up

def authenticatedRequestFactory = confluenceLink.createImpersonatingAuthenticatedRequestFactory()
def writer = new StringWriter()
def xml = new MarkupBuilder(writer)


def pageTitle = issue.getSummary()
def pageBody = """h3. Lauda
{quote}dgkbn kjc.,vmn {quote}

"""

def params = [
type : "page",

ancestors: [
[
type:"page",
id : "12517392",
]
],
title: pageTitle,
space: [
key: "BPS" ],

body : [
storage: [
value : pageBody,
representation: "wiki"
],
],
]

authenticatedRequestFactory
.createRequest(Request.MethodType.POST, "rest/api/content")
.addHeader("Content-Type", "application/json")
.setRequestBody(new JsonBuilder(params).toString())
.execute(new ResponseHandler<Response>() {
@Override
void handle(Response response) throws ResponseException {
if (response.statusCode != HttpURLConnection.HTTP_OK) {
throw new Exception(response.getResponseBodyAsString())
} else {
def webUrl = new JsonSlurper().parseText(response.responseBodyAsString)["_links"]["webui"]
}
}
})

1 answer

1 accepted

0 votes
Answer accepted
Patrick December 23, 2019

Mostly happens in environments with their own PKI.

Ensure that you trust the Server Certificate of the destination Url (File "cacerts" in $JAVA_HOME.

Heiko January 13, 2020

the problem was that we have more  than one confluence link in our system

Nirmani_Kalakheti May 26, 2022

When connecting two servers or rather application via HTTPS, the public SSL certificate from each server must be added to the other server's JVM trust store, as described here: https://confluence.atlassian.com/kb/how-to-import-a-public-ssl-certificate-into-a-jvm-867025849.html. After importing you need to restart Jira Services. 

If you have a lower environment like dev or stage, then you would want to try this and see if that is going to help. 

Suggest an answer

Log in or Sign up to answer