I am in a company, and need set proxy to connect to the Internet. The proxy setting is ok, because I can connect to other website, e.g. Neon – http://download.eclipse.org/releases/neon, but not for http://aws.amazon.com/eclipse.

The error message is:

Unable to read repository at
https://aws.amazon.com/eclipse/content.xml. Unable to read repository
at https://aws.amazon.com/eclipse/content.xml.
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target.

The specific stack is:

javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:554)
at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:435)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.updateSecureConnection(DefaultClientConnectionOperator.java:216)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.layerProtocol(ManagedClientConnectionImpl.java:394)
at org.apache.http.impl.client.DefaultRequestDirector.establishRoute(DefaultRequestDirector.java:814)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:615)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.eclipse.ecf.provider.filetransfer.httpclient4.HttpClientFileSystemBrowser.runRequest(HttpClientFileSystemBrowser.java:263)
at org.eclipse.ecf.provider.filetransfer.browse.AbstractFileSystemBrowser$DirectoryJob.run(AbstractFileSystemBrowser.java:69)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:55)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
Source)
… 20 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown
Source)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
… 26 more

This is because java is not recognizing root certificate authority (CA) SSL certificate of https://aws.amazon.com.

Solution is to add that certificate to java cacerts file so that it got permanently accepted.

Step 1 : Get root certificate of https://aws.amazon.com

CHROME BROWSER

1. Open https://aws.amazon.com
2. Select Inspect from context menu(right clicking on page) and navigate to security tab
3. Click on view certificates
4. Click on top most certificate on hierarchy and confirm it is tailed with Root CA phrase.
5. drag and drop that image which you saw written certificate on desktop.

FIREFOX BROWSER

1. Open https://aws.amazon.com
2. click on the green lock button “show certificate”
3. tab “details”, “export”

Thats it! you got your root certificate!

Step 2 : Get that certificate added to java cacerts file.

1. use keytool.exe inside your jre bin folder.
2. fire following command to place your certificate inside cacerts file

keytool –import –noprompt –trustcacerts –alias ALIASNAME -file
/PATH/TO/YOUR/DESKTOP/CertificateName.cer -keystore
/PATH/TO/YOUR/JDK/jre/lib/security/cacerts -storepass changeit

That is it! you got your problem resolved.

PLEASE NOTE

1. Do confirm that the jre which is giving you this PKIX error(JRE used by eclipse or your app after deployment) that is where you are performing STEP 2. If you would try with another jre problem would be as it is.