tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy Ee <>
Subject Tomcat unable to validate SSL certificate authority
Date Thu, 03 May 2012 17:20:58 GMT
Dear all,

I am stuck with this problem for over a month now, and I have tried all ways but to no avail.

My Tomcat 6.0.32 is running in Solaris 10 and the JDK version is 1.6.0_21. I deployed a java
program in Tomcat webapps/ which will post some results to a web server via a HTTPS url. I
received the following error in the catalina.out log.

[12-05-04 00:57:20] INFO  [http-8080-1]  Sending to (
- timeout: 30000
[12-05-04 00:57:22] ERROR [http-8080-1] Encounter exception while send status to merchant
status url! PKIX path building failed:
unable to find valid certification path to requested target

I downloaded and imported the required CA chain certificates into the java truststore cacerts
but it does not help. 

Next, I tried to set JAVA_OPTS to point Tomcat to the cacerts as the truststore and it doesn’t
help either.

bash-3.00# /usr/ucb/ps -auxwww | grep tomcat
root     25578  0.1 11.01145892903712 pts/8    S 00:55:57  2:14 /usr/java/bin/java -Djava.util.logging.config.file=/usr/local/apache-tomcat-6.0.32/conf/
-Xms512m -Xmx1024m -XX:MaxPermSize=512m -XX:+DisableExplicitGC -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.endorsed.dirs=/usr/local/apache-tomcat-6.0.32/endorsed -classpath /usr/local/apache-tomcat-6.0.32/bin/bootstrap.jar
-Dcatalina.base=/usr/local/apache-tomcat-6.0.32 -Dcatalina.home=/usr/local/apache-tomcat-6.0.32 org.apache.catalina.startup.Bootstrap

The CA certificates were imported into cacerts using the following keytool command.

keytool -import -trustcacerts -keystore cacerts -file root.cer -alias BuiltinObjectToken-GoDaddyClass2CA
keytool -import -trustcacerts -keystore cacerts -file inter.cer -alias GoDaddySecureCertificationAuthority

I also tried to verify by using and and both could locate the
CA certificates in cacerts. Therefore I am suspecting that Tomcat is not using cacerts properly.

Any help is greatly appreciated!


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message