Skip to main content

PKIX Path Building Failed Error

Problem

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Solution

1

Add Certificate to Apinizer

The public certificate of the relevant address should be added to Apinizer from the Certificate Management page.
2

Download Certificate (Optional)

If there is no browser that can access the address, it can be downloaded with the following command on a server with openssl application installed and that can access the address:
openssl s_client -showcerts -connect server.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > serverscertfile.pem

Certificate Issue in WS-S/WS-STS Token Retrieval in SOAP Services

Problem

WS-S or WS-STS policies used in SOAP services cannot retrieve tokens due to “PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target” error.

Reason/Why

Since the certificate loaded to Apinizer cannot be seen in SOAP service call, token retrieval of this service needs to be done through reverse proxy.

Solution

A reverse proxy that routes with the relevant token retrieval address is created and the token retrieval address of the wss/wssts policy in the service using tokens is given as this service. In rare cases, it may be necessary to change the address in the xml message with script through reverse proxy.

SSL Certificate Issue in MSSQL Connections

Problem

I updated Apinizer to version 2025.07.4 or later but I’m getting an error in my Sql Server (MSSQL) connections: Failed to initialize pool: “encrypt” property is set to “true” and “trustServerCertificate” property is set to “false” but the driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption: Error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

Reason/Why

MSSQL jdbc library has been updated with the security update made in version 2025.07.4.
With this library, tls 1.2 and above are mandatory in jdbc connections. Encrypt default value is true and this requires a connection with a correct certificate. Self sign, incorrectly configured certificates, or databases not using certificates encounter this error.

Solution

1

Configure Certificate

SSL certificate should be correctly configured in the connection to your database. The relevant certificate should be added to Apinizer under Secret Manager > Certificates.
Note: In your internal systems and development or test environments, this error can be bypassed by adding one of the following parameters to the jdbc url:
  • ;encrypt=false (not recommended)
  • ;trustServerCertificate=true (should be added carefully, possible consequences in terms of security should be considered)