If you ran
shinycannon and received an error like the following:
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
…the target server’s SSL certificate was not recognized by the installation of Java that
shinycannon is running in.
The first thing you should try is upgrading Java on your machine. Newer versions of Java come with updated certificate stores.
If that doesn’t work, and if you are confident the target server is legitimate (for example, it’s run from within your organization) you can rectify the problem by adding the target server’s certificate to Java’s certificate store using the steps below.
Otherwise, you should consider contacting the target server’s administrator because the machine may have been compromised.
Download the certificate to the machine running
shinycannon using the following command, substituting
example.com for the hostname or address of the target server:
If the target host is an IP address, you should omit the
openssl s_client -connect example.com:443 -servername example.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
openssl s_client -connect google.com:443 -servername google.com:443 < NUL | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
Determine your system’s JAVA_HOME location with the following command:
On Linux, the $JAVA_HOME environment variable may already be set. If it is, use it instead.
jrunscript -e 'java.lang.System.out.println(java.lang.System.getProperty("java.home"));'
Install the certificate with the following command, substituting
<JAVA_HOME> for your system’s
JAVA_HOME value, and
<server_name> for some name of your choosing:
On Linux, you must be root or use
<JAVA_HOME>/bin/keytool -import -alias <server_name> -keystore <JAVA_HOME>/jre/lib/security/cacerts -file public.crt
You may be prompted for a password. By default it is
You may be prompted about whether to trust the certificate. Type
yes and hit enter.
shinycannon again, ensuring
SHINYCANNON_PASS are set if your target application requires authentication.
These instructions were adapted from the following document: https://confluence.atlassian.com/kb/how-to-import-a-public-ssl-certificate-into-a-jvm-867025849.html