Skip to content

unable to find valid certification path to requested target google recaptcha in java maven application

I’ve made a Maven webapplication with a contactform with Google reCaptcha v3 which is running on Glassfish 5 on a Centos server. The contactform page makes a request to https://www.google.com/recaptcha/api/siteverify and sends a token and a site key. You’ll get a json object answering the question if the request is coming from a bot or a human.

When Java is sending that request I got a connection error:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targe

Java or the Glassfish server is not trusting the website because it has no valid certificate in it’s keystore as explained here.

Importing the certiface with keytool (/opt/jdk1.8.0_181/jre/bin/keytool) in /opt/jdk1.8.0_181/jre/lib/security/cacerts (the keystore where the certificates are stored) is not working.

Answer

In the Glassfish domain folder (in my case it is in /home/glassfish/glassfish5/glassfish/domains/domain1) there is a config folder with a file named cacerts.jks and keystore.jks. You can edit it with keytool but you can also edit with Keytool Explorer (https://keystore-explorer.org/). Download the certificate with a browser as explained her. You can download the SSL-server certificate as a .crt. In my case it was wwwgooglecom.crt but you can also choose your own emailserver (in my case it was leenheeren.nl.cert. It is more easy to import it with the Keystore tool above. Upload the file cacerts.jks and keystore.jks and restart the Glassfish server. The difference between cacert.jks and keystore.jks is as follows: cacerts is where Java stores public certificates of root CAs (of the domain). Java uses cacerts to authenticate the servers. Keystore is where Java stores the private keys of the clients so that it can share it to the server when the server requests client authentication.