"SSLHandshakeException: PKIX path building failed" error

Modified on Fri, 16 Sep 2022 at 08:39 AM

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:349)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:287)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)

This error occurs when a target server's SSL certificate cannot be verified due to an incomplete certificate chain of trust on the calling system. You may encounter this error due to:

  1. A private Certificate Authority's (CA) public certificate not being available in your Nextflow / Nextflow Tower instance.
  2. Missing intermediate certificates in your Nextflow / Nextflow Tower instance.

SOLUTION 1: Add a private CA certificate to the Nextflow container#

To add a copy of your private CA's public certificate to a container running the Nextflow process, do the following:

  1. Acquire a copy of your private CA's public certificate (i.e. ca.crt).
  2. Copy ca.crt to a storage medium that is programmatically available to your container.
  3. Define a pre-run script that does the following:
    1. Downloads the certificate file to the container from the storage medium.
    2. Imports the CA certificate to your Java truststore.
# Example
aws s3 cp s3://your-bucket/path/to/ca.crt /path/to/local/file
keytool -import -trustcacerts -keystore path/to/cacerts -storepass changeit  -alias aliasName -file path/to/certificate.cer

SOLUTION 2: Adding intermediate certificates to your instance#

To allow Java to automatically download missing intermediate certificates, activate the enableAIAcaIssuers system property via an environment variable:

export JAVA_OPTS="-Dcom.sun.security.enableAIAcaIssuers=true"
  1. For Tower-based connectivity problems, set the environment variable within your Tower implementation.

  2. For Nextflow container connectivity problems, set the environment variable using a pre-run script.

Please note that this fix is dependent on the JVM version. See here for further details.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article