Affected: Java server-side SDK
Symptoms
When initializing the Java server-side SDK, the following error occurs, and the SDK fails to initialize:
Error in stream connection: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Cause
The Java Trust Store does not include the certificates that LaunchDarkly depends on.
Solution
The solution is to add the necessary certificates to your Trust Store. The first step is getting those certificates.
On Linux:
- In the console, type
openssl s_client -connect app.launchdarkly.com:443 -showcerts
. - In the output search for
GlobalSign Atlas R3 DV TLS CA 2023 Q2
. Directly below that is a certificate; copy everything from-----BEGIN CERTIFICATE-----
up to and including-----END CERTIFICATE-----
. - Paste the certificate into a text editor and save it to a file. Repeat the same for
CN=GlobalSign Root CA
if present.
On Mac using Chrome:
- Navigate to
app.launchdarkly.com
. - Click the padlock icon next to the URL and click
Connection is secure
and thenCertificate is valid
; a pop-up window titled Certificate Viewer: app.launchdarkly.com will appear. - Go to the
Details
tab and then clickGlobalSign Atlas R3 DV TLS CA 2023 Q2
; then click the export button. This will create a .cer file containing the certificate. - Repeat the same for
GlobalSign Root CA
if present.
On Windows using Chrome:
- Navigate to app.launchdarkly.com.
- Then click the padlock icon next to the URL and choose
Certificate
. A pop-up window with tabs will appear; go to theCertification Path
tab, and there will be two items. - Click
GlobalSign Atlas R3 DV TLS CA 2023 Q2
, then clickView Certificate
. - Click
Details
, thenCopy to File...
and specify a filename. - Repeat all this for
GlobalSign Root CA
if present.
And for stream.launchdarkly.com which is our SDK streaming endpoint the certificate is issued by Amazon, Amazon RSA 2048 M01
.
* Server certificate:
* subject: CN=stream.launchdarkly.com
* start date: Mar 8 00:00:00 2023 GMT
* expire date: Apr 5 23:59:59 2024 GMT
* subjectAltName: host "stream.launchdarkly.com" matched cert's "stream.launchdarkly.com"
* issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M01
* SSL certificate verify ok.
> GET /all HTTP/1.1
> Host: stream.launchdarkly.com
The last step is to add the necessary certificates to your Trust Store. Some Trust Stores require all the certificates in the security chain, while others just require one. If you have trouble adding just one, try adding all of them.