Skip to main content
SDK / Relay Proxy

Error "Error in stream connection unable to find valid certification path to requested target" Java SDK

Affected: Java server-side SDK

Symptoms

When initializing the Java server-side SDK, the following error occurs, and the SDK fails to initialize:

Error in stream connection: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

The Java Trust Store does not include the certificates that LaunchDarkly depends on for the TLS/SSL handshake. Older JVMs, such as Java 8 require manual certificate updates when a rotation occurs.

Solution

The solution is to add the necessary certificates to your Trust Store. The first step is getting those certificates. 

On Linux:

  1. In the console, type openssl s_client -connect app.launchdarkly.com:443 -showcerts.
  2. In the output, search for GlobalSign Atlas R3 DV TLS CA . Directly below that is a certificate; copy everything from -----BEGIN CERTIFICATE----- up to and including -----END CERTIFICATE-----.
  3. Paste the certificate into a text editor and save it to a file. Repeat the same for CN=GlobalSign Root CA if present.

 On Mac using Chrome:

  1. Navigate to app.launchdarkly.com.
  2. Select the padlock icon next to the URL and choose Connection is secure and then Certificate is valid; a pop-up window titled Certificate Viewer: app.launchdarkly.com will appear.
  3. Go to the Details tab and then select GlobalSign Atlas R3 DV TLS CA; then select the export button. This will create a .cer file containing the certificate.
  4. Repeat the same for GlobalSign Root CA if present.

 On Windows using Chrome: 

  1. Navigate to app.launchdarkly.com.
  2. Then select the padlock icon next to the URL and choose Certificate. A pop-up window with tabs will appear; go to the Certification Path tab, and there will be two items.
  3. Select GlobalSign Atlas R3 DV TLS CA, then choose View Certificate.
  4. Select Details, then Copy to File... and specify a filename.
  5. Repeat all this for GlobalSign Root CA if present.

For stream.launchdarkly.com negotiation failures, our SDK streaming endpoint uses the certificate issued by Amazon: Amazon RSA 2048. Follow the steps above and replace app.launchdarkly.com with stream.launchdarkly.com and GlobalSign Atlas R3 DV TLS CA with Amazon RSA 2048. If you can update the trust store to include the Amazon root, that should resolve the issue.
 

depth=2 C=US, O=Amazon, CN=Amazon Root CA 1
verify return:1
depth=1 C=US, O=Amazon, CN=Amazon RSA 2048 M04
verify return:1
depth=0 CN=stream.launchdarkly.com
verify return:1
---
Certificate chain
0 s:CN=stream.launchdarkly.com
i:C=US, O=Amazon, CN=Amazon RSA 2048 M04
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256

The last step is to add the necessary certificates to your Trust Store. Some Trust Stores require all the certificates in the security chain, while others just require one. If you have trouble adding just one, try adding them all.

Related articles

Was this article helpful?
0 out of 0 found this helpful
contact support icon
Contact Support Get in touch with us, so we can answer your specific questions directly
call to action arrow
documentation icon
Documentation Explore our documentation on feature flagging, experimentation & more
call to action arrow
submit support tickets icon
Your Support Tickets Check the status of all the support tickets you've filed
call to action arrow

READ

Blog

Learn the latest in feature management and our platform.

WATCH

Webinars

Register to watch live and on-demand content today.

LEARN

Documentation

Get technical and learn how to start using feature flags.