You are currently reviewing an older revision of this page.

KB-1187 "The WSDL cannot be processed because the remote server certificate is invalid... unable to find valid certification path to requested target" error thrown when making web service calls

Symptoms

Making web services calls over HTTPS fails because the JBoss server does not trust the CA which was used to sign the certificate the web service presents. The following errors will be seen in the application server log

INFO  [stdout] (ajp-/0.0.0.0:8009-7) com.appiancorp.ws.WSClientException: The WSDL cannot be processed because the remote server certificate is invalid.  Check that the certificate has not expired. (APNX-1-4045-005)

Caused by: com.appiancorp.ws.security.transport.HTTPTransportException: The WSDL cannot be processed because the remote server’s certificate is invalid.  Check that the certificate has not expired. (APNX-1-4045-005)

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is because the certificate that’s being presented is not trusted by the application server. You will have to obtain a certificate signed by a trusted authority instead of a self-signed certificate or import it into the JDK truststore using the keytool command.

Action

You will have to use the following command to import the certificate into the default JDK trust store:

Linux

$JAVA_HOME/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore $JAVA_HOME/jre/lib/security/cacerts

Windows

"%JAVA_HOME%\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore "%JAVA_HOME%\jre\lib\security\cacerts"

If you’re importing multiple certificates, make sure that the alias is different for each command. The alias can be anything and is just a name in this case, usually the name this certificate was issued for.

To verify if the import has been done, run the following command:

Linux

$JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts | grep ##ALIASNAME##

Windows

"%JAVA_HOME%\bin\keytool" -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts" | findstr ##ALIASNAME##

The above command (without the | grep ##ALIASNAME## or | findstr ##ALIASNAME##) can also be used to check what certificates are currently in the trust store. These are the default trusted certificates that come up with a standard installation of Java.

After importing the certificate into the JDK trust store, perform an application server restart to load the certificate.

Note: The above operations are currently not supported on Appian Cloud as you are not allowed to run any commands on the operating system. The workaround is to use the Advanced Call Web Service plug-in or to obtain a certificate from a trusted CA instead of using a self-signed one.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: January 2018

© 2024 Appian. All rights reserved.