PKIX error when running okta start and selecting any option #163
Comments
|
Hey @degerlac! There are a couple of common reasons for seeing this. Without any more info I'm going into guess the second, but here is an easy way to test it:
If you see errors on this tab, you can correct the problem by following this guide: The "chain" is optional for some clients (for example most browser connections don't need it), but many languages/frameworks (e.g. Java) require the full chain to be installed. Either way, let me know if this helps, it's possible we could catch this error and provide better instructions, (but I'm just making an educated guess) Assuming I'm wrong, let me know your Okta Org / URL and I can take a look. If you don't want to put that info in this issue, you can send it to Okta support, and reference this issue, and tell them to pass the info to |
|
@bdemers - This is also a problem if the a company uses self-signed certs for things like ZScaler. Is it possible to import a certificate chain into the embedded java truststore the cli is using? Or provide and environment variable like |
|
@klongmitre, there are no immediate plans to support self-signed certificates with the Okta CLI. Ideally, we'd like to see folks using certs with chains, but I understand that isn't always as simple as it sounds. I can offer a quick workaround, though, you can grab the Java jar version of the Okta CLI: Run it as: java -jar /path/to/okta-cli-0.10.0.jarThen configure your JVM with the appropriate keystore. |
I am running OpenJDK 11 on Mac OS 10.15.7. When I run
okta startand select any number to download it fails with a PKIX error. I would really like to use the tool, but I can't get off first base. What URL is it trying to access?com.okta.commons.http.HttpException: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.okta.commons.http.httpclient.HttpClientRequestExecutor.executeRequest(HttpClientRequestExecutor.java:191)
at com.okta.commons.http.RetryRequestExecutor.doExecuteRequest(RetryRequestExecutor.java:147)
at com.okta.commons.http.RetryRequestExecutor.executeRequest(RetryRequestExecutor.java:120)
at com.okta.sdk.impl.ds.DefaultDataStore.execute(DefaultDataStore.java:443)
at com.okta.sdk.impl.ds.DefaultDataStore.lambda$getResourceData$1(DefaultDataStore.java:196)
at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:47)
at com.okta.sdk.impl.ds.cache.WriteCacheFilter.filter(WriteCacheFilter.java:34)
at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:52)
at com.okta.sdk.impl.ds.cache.ReadCacheFilter.filter(ReadCacheFilter.java:42)
at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:52)
at com.okta.sdk.impl.ds.DefaultDataStore.getResourceData(DefaultDataStore.java:208)
at com.okta.sdk.impl.ds.DefaultDataStore.getResource(DefaultDataStore.java:177)
at com.okta.sdk.impl.ds.DefaultRequestBuilder.get(DefaultRequestBuilder.java:90)
at com.okta.cli.common.service.DefaultAuthorizationServerService.authorizationServersMap(DefaultAuthorizationServerService.java:33)
at com.okta.cli.commands.apps.CommonAppsPrompts.getIssuer(CommonAppsPrompts.java:36)
at com.okta.cli.commands.Start.runCommand(Start.java:122)
at com.okta.cli.commands.BaseCommand.call(BaseCommand.java:41)
at com.okta.cli.commands.BaseCommand.call(BaseCommand.java:26)
at picocli.CommandLine.executeUserObject(CommandLine.java:1783)
at picocli.CommandLine.access$900(CommandLine.java:145)
at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2150)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2144)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2108)
at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:1975)
at picocli.CommandLine.execute(CommandLine.java:1904)
at com.okta.cli.OktaCli.run(OktaCli.java:64)
at com.okta.cli.OktaCli.main(OktaCli.java:54)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:349)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:292)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:287)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1409)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1315)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at com.okta.commons.http.httpclient.HttpClientRequestExecutor.executeRequest(HttpClientRequestExecutor.java:186)
... 26 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at sun.security.validator.Validator.validate(Validator.java:264)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
... 51 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
... 57 more
The text was updated successfully, but these errors were encountered: