If you ran shinycannon
and received an error like the
following:
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
…the target server’s SSL certificate was not recognized by the
installation of Java that shinycannon
is running in.
The first thing you should try is upgrading Java on your machine. Newer versions of Java come with updated certificate stores.
If that doesn’t work, and if you are confident the target server is legitimate (for example, it’s run from within your organization) you can rectify the problem by adding the target server’s certificate to Java’s certificate store using the steps below.
Otherwise, you should consider contacting the target server’s administrator because the machine may have been compromised.
Download the certificate to the machine running
shinycannon
using the following command, substituting
example.com
for the hostname or address of the target
server:
If the target host is an IP address, you should omit the
-servername
parameter.
Linux:
openssl s_client -connect example.com:443 -servername example.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
Windows:
If you haven’t, you should install Sed for Windows and OpenSSL
openssl s_client -connect google.com:443 -servername google.com:443 < NUL | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
JAVA_HOME
Determine your system’s JAVA_HOME location with the following command:
On Linux, the $JAVA_HOME environment variable may already be set. If it is, use it instead.
jrunscript -e 'java.lang.System.out.println(java.lang.System.getProperty("java.home"));'
Install the certificate with the following command, substituting
<JAVA_HOME>
for your system’s JAVA_HOME
value, and <server_name>
for some name of your
choosing:
On Linux, you must be root or use sudo
.
<JAVA_HOME>/bin/keytool -import -alias <server_name> -keystore <JAVA_HOME>/jre/lib/security/cacerts -file public.crt
You may be prompted for a password. By default it is
changeit
.
You may be prompted about whether to trust the certificate. Type
yes
and hit enter.
Try shinycannon
again, ensuring
SHINYCANNON_USER
and SHINYCANNON_PASS
are set
if your target application requires authentication.
These instructions were adapted from the following document: https://confluence.atlassian.com/kb/how-to-import-a-public-ssl-certificate-into-a-jvm-867025849.html