I received the exception 'PKIX path building failed ... unable to find valid certification path to requested target' when connecting to Team Foundation Server. How do I fix it?
- Last updated
- Save as PDF
Last Updated: | Applicable Hub Versions: All
Answer
The "PKIX path building failed ...unable to find valid certification path to requested target" error message generally means that Hub is unable to properly validate the SSL certificate for your server either because your server is using a self-signed certificate, or because the Java packaged with your Hub product did not ship with the appropriate root certificates. If you wish to connect to this server, you will need to install the SSL certificate into the keystore in the JRE folder of your Hub product and restart it. To add to the keystore, see here.
- Shut down your Hub instance
- In your browser, navigate to the URL / URI where the SSL Certificate can be viewed
- Click on the padlock icon in the address bar (IE or Chrome) or at the bottom of the screen (Firefox)
- Select View Certificates.
- Click on the Details tab and then click Copy to File …
- Look at the entire path and do the same for each certificate (intermediates and root)
- Walk through the wizard to create a DER encoded binary X.509 (CER) format certificate
- Save the file to a local directory (i.e.,
c:\SSL\) - In command prompt enter the following:
<path_to_jre>/bin/keytool -import -trustcacerts -keystore <path_to_jre>/lib/security/cacerts -file c:\SSL\my_ca.cer -alias myca<path_to_jre>refers to the jre folder in the Hub install location- The keytool command should be run for each certificate exported. Each will need to have a unique alias.
- The default password is: changeit
- Start your Hub product
- Try again to connect to the Azure DevOps Server repository
Possible Exception:
com.tasktop.internal.sync.core.SyncException: Repository network error sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.tasktop.internal.sync.core.SyncAdapter.runSubmitJob(SyncAdapter.java:620)
at com.tasktop.internal.sync.core.SyncAdapter.putSyncItem(SyncAdapter.java:351)
at com.tasktop.internal.sync.core.state.UpdateProxyState.transition(UpdateProxyState.java:113)
at com.tasktop.internal.sync.core.state.SyncState.performTransition(SyncState.java:60)
at com.tasktop.internal.sync.core.WorkerJob.onPoll(WorkerJob.java:52)
at com.tasktop.server.core.ServerJob.run(ServerJob.java:87)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)
Caused by: com.microsoft.tfs.core.exceptions.TECoreException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.microsoft.tfs.core.exceptions.mappers.TECoreExceptionMapper.map(TECoreExceptionMapper.java:99)
at com.microsoft.tfs.core.exceptions.mappers.LocationExceptionMapper.map(LocationExceptionMapper.java:32)
at com.microsoft.tfs.core.clients.framework.location.internal.LocationWebServiceProxy.connect(LocationWebServiceProxy.java:76)
at com.microsoft.tfs.core.clients.framework.location.LocationService.connect(LocationService.java:754)
at com.microsoft.tfs.core.clients.framework.location.LocationService.ensureConnected(LocationService.java:884)
at com.microsoft.tfs.core.clients.framework.location.LocationService.ensureAuthenticated(LocationService.java:923)
at com.microsoft.tfs.core.TFSConnection.ensureAuthenticated(TFSConnection.java:739)
at com.tasktop.internal.microsoft.tfs.core.client.TFSClient.createConnection(TFSClient.java:173)
at com.tasktop.internal.microsoft.tfs.core.client.TFSClient.getConnection(TFSClient.java:131)
at com.tasktop.internal.microsoft.tfs.core.client.TFSClient.getWorkItemClient(TFSClient.java:292)
at com.tasktop.internal.microsoft.tfs.core.client.TFSClient.createNewWorkItem(TFSClient.java:448)
at com.tasktop.internal.microsoft.tfs.core.TFSTaskDataHandler.postTaskData(TFSTaskDataHandler.java:100)
at com.tasktop.internal.microsoft.tfs.core.TFSTaskDataHandler.postTaskData(TFSTaskDataHandler.java:82)
at org.eclipse.mylyn.internal.tasks.core.sync.SubmitTaskJob.run(SubmitTaskJob.java:101)
... 1 more
Caused by: com.microsoft.tfs.core.ws.runtime.exceptions.TransportException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.microsoft.tfs.core.ws.runtime.client.SOAPService.executeSOAPRequestInternal(SOAPService.java:744)
at com.microsoft.tfs.core.ws.runtime.client.SOAPService.executeSOAPRequest(SOAPService.java:473)
at ms.ws._LocationWebServiceSoap12Service.connect(_LocationWebServiceSoap12Service.java:384)
at com.microsoft.tfs.core.clients.framework.location.internal.LocationWebServiceProxy.connect(LocationWebServiceProxy.java:70)
... 12 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
at java.io.BufferedOutputStream.flush(Unknown Source)
at com.microsoft.tfs.core.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:597)
at com.microsoft.tfs.core.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2518)
at com.microsoft.tfs.core.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1313
at com.microsoft.tfs.core.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:508)
at com.microsoft.tfs.core.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:197)
at com.microsoft.tfs.core.httpclient.HttpClient.executeMethod(HttpClient.java:464)
at com.microsoft.tfs.core.httpclient.HttpClient.executeMethod(HttpClient.java:376)
at com.microsoft.tfs.core.ws.runtime.client.SOAPService.executeSOAPRequestInternal(SOAPService.java:588)
... 15 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
at com.microsoft.tfs.core.config.httpclient.internal.DefaultX509TrustManager.checkServerTrusted(DefaultX509TrustManager.java:181)
... 33 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 39 more