How to fix a PKIX Path Building Failed Error
If you're seeing errors in the weave.log file like:
PKIX exception output
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
it's likely cause by Weave trying to communicate with an external service that uses a certificate that Weave doesn't know about, for example if the service uses a self-signed certificate.
This could happen if you're connecting to an ArcGIS server that you're hosting within your own organisation where it's been installed and setup using its own certificate (which is the default when ArcGIS Server is installed).
To resolve this problem the Weave certificate store needs to be updated to include information about the certificate that the server is presenting. This can be done manually using the openssl
tool but it can also be done using a graphical tool Portecle, which is described below, alternatively Weave can be configured to ignore the certificates and just accept them as valid.
To have Weave ignore the certificates you have to set a system property called weave.ignoretls
, this property should be set to a comma separated list of host name that should have their certificates automatically accepted, to accept a group of hosts you can use an * in the name. This property could be set in the ...\weave\jetty_base\start.d\weave.ini
file.
Setting the property to ignore a group of internal servers and one external server
-Dweave.ignoretls=*.internal.mycompany.com,maps.theircompany.com
SQL Server
If you are seeing PKIX errors relating to connecting to SQL Server databases add trustServerCertificate=true
to the connection URL for the data sources pointing to SQL Server, e.g.
<url>jdbc:sqlserver://prodsql02:1433;DatabaseName=prod;trustServerCertificate=true</url>
Related articles
Unable to Connect to SSL Services due to PKIX Path Building Failed