Recently I needed to debug an issue by testing SSL chaining issues My old standby tools (curl and openssl were not reporting any errors)
The exception
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
Cause The cert from the keystore does not match the cert from the server.
Tool to debug the issue
SSLPoke.class is what was used to debug the issue. Link to source here.
How to use the tool
curl -k "https://confluence.atlassian.com/download/attachments/180292346/SSLPoke.class?version=1&modificationDate=1236556489366&api=v2" -o "SSLPoke.class" java -Djavax.net.debug=ssl SSLPoke example.com 443 > debug.log 2>debug.err
Now check out the debug.log (near the end) to determine if your cert chaining is incorrect.
What finally solved my issue In my case i used the wrong godaddy chaining cert with an nginx reverse proxy…
I used:
Go Daddy Class 2 Certification Authority Root Certificate gd-class2-root.crt Certificate File Hash (sha1) : 98 F1 CC 3D 9F 09 73 69 1E B4 AE 9A 1E AF AC 7F D6 30 1D FB Certificate Thumbprint (sha1) : 27 96 BA E6 3F 18 01 E2 77 26 1B A0 D7 77 70 02 8F 20 EE E4
instead of:
Go Daddy Certificate Bundles (for cPanel, Plesk, Apache 1.x and 2.x installation only) gd_bundle.crt Certificate File Hash (sha1) : 47 E5 6A 19 BF B1 F1 9E 5D 92 88 0C 16 19 E1 8C C1 CD 06 CB
Reference: https://confluence.atlassian.com/display/CONFKB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed+sun.security.provider.certpath.SunCertPathBuilderException