IDEA Ultimate 2016.3.4 throwing "unable to find valid certification path to requested target" when trying to refresh gradle

Answered

I've just downloaded IDEA Ultimate 2016.3.4 via the Toolbox application, and tried to import a new gradle project. When I try and refresh it I'm faced with "Error: Cause: unable to find valid certification path to requested target". I'm using IDEA behind a company proxy, however this has never been an issue before. I tried adding our certificates into IDEA and still came up empty. The only thing that has changed is that I upgraded from the community edition to the ultimate edition.

Has anyone encountered this before? Or have any guidance on what I can try next. I'm out of ideas.

 

Here is what came out in my logs

[ 10738] INFO - ibility.VersionMetadataUpdater - Failed to parse XML metadata
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1513)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
at com.intellij.util.io.HttpRequests.openConnection(HttpRequests.java:484)
at com.intellij.util.io.HttpRequests.access$300(HttpRequests.java:57)
at com.intellij.util.io.HttpRequests$RequestImpl.getConnection(HttpRequests.java:278)
at com.intellij.util.io.HttpRequests$RequestImpl.getInputStream(HttpRequests.java:287)
at com.intellij.util.io.HttpRequests$RequestImpl.getReader(HttpRequests.java:305)
at com.intellij.util.io.HttpRequests$RequestImpl.getReader(HttpRequests.java:298)
at com.android.tools.idea.gradle.project.compatibility.VersionMetadataUpdater$3$1.process(VersionMetadataUpdater.java:92)
at com.android.tools.idea.gradle.project.compatibility.VersionMetadataUpdater$3$1.process(VersionMetadataUpdater.java:88)
at com.intellij.util.io.HttpRequests.doProcess(HttpRequests.java:413)
at com.intellij.util.io.HttpRequests.process(HttpRequests.java:390)
at com.intellij.util.io.HttpRequests.access$100(HttpRequests.java:57)
at com.intellij.util.io.HttpRequests$RequestBuilderImpl.connect(HttpRequests.java:252)
at com.android.tools.idea.gradle.project.compatibility.VersionMetadataUpdater$3.run(VersionMetadataUpdater.java:88)
at com.intellij.openapi.application.impl.ApplicationImpl$2.run(ApplicationImpl.java:309)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
... 32 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)

15 comments
Comment actions Permalink
Official comment

The issue was submitted to support and closed with the following comment:

it turns out this was not an IDEA issue. This was a gradle wrapper issue that was manifesting itself through IDEA. Our networking guys are messing with something. I'm sorry to waste your time.

Comment actions Permalink

Any idea what was the fix?

1
Comment actions Permalink

Hi

I am having the same issue...any idea if it is fixed already or any work around ?

 

1
Comment actions Permalink

@Serge Baranov

Eh, this is a Jetbrains/IDEA issue. Despite being able to pick the gradle wrapper's Java installation, the grabbing of the wrapper is still done with the JRE which the IDE is currently using... Preventing the wrapper from even starting. It should prompt to trust the certificate like everywhere else in the IDE but it does not. In the interim I have posted instructions to fix this for those who need it. (This issue persists in 2017.2.1)

@Nisarg @Sebas Panikulam @David Edwards

Just import your proxy's certificate into all utilized instances of "cacerts" keystores.

  1. You likely have a proxy which is intercepting (via MITM) your traffic. Locate your network's certificate: In a browser, navigate to "https://www.google.com" hit F12, go to certificates/security and get the top most certificate... Export it to MyCertificate.cer (base64 encoded). This process is different for each OS and Browser. If you're on a linux/mac something like echo -n | openssl s_client -connect google.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/MyCertificate.cer should get the certificate for you in a terminal (assuming you have your distributions net-utils package installed).
  2. In a terminal, navigate to your Jetbrains installation (whichever IDE it is doesn't matter). Inside of the base folder navigate to the folder "jre64" or "jre32" or "jre" -> "lib" -> "security"
  3. Copy over MyCertificate.cer into the security folder. (mv /tmp/MyCertificate.cer)
  4. Type "keytool -keystore cacerts -importcert -alias MyCertificate -file MyCertificate.cer" without quotes.
  5. Use the default password of "changeit" (Without quotes, obviously.)
  6. When prompted to trust the certificate type "yes" (Without quotes...). Hit enter.
  7. Restart the IDE in question and it should now function normally. Repeat this process for all java (including jdk) installations and jetbrains tools just to be safe. The relative path is the same regardless: jre -> lib -> security
  • If keytool is not found, you're probably on windows so try "%JAVA_HOME%/jre/bin/keytool" -keystore cacerts -importcert -alias MyCertificate -file MyCertificate.cer
  • Otherwise, locate your keytool in wherever you have java installed or use the one in "jre(64|32)?" -> "bin"
10
Comment actions Permalink

@Jay
Thank you very much for saving my nerves with your solution!

@Serge Baranov
Please communicate the issue to the developer team

0
Comment actions Permalink

Thanks :)

After breaking my head for a long time, found this and this resolved my issue. 

0
Comment actions Permalink

You my friend deserve a medal! for clear description alone

0
Comment actions Permalink

I tried the solution suggested and still ran into a problem.  I do think the suggested/accepted solution will work but I had another problem in that IntelliJ also needed to make a TLSv1.2 connection to download a maven artifact.

The solution I came across through some trial and error was to edit the IntelliJ VM Options.  I'm using IntelliJ Ultimate 2017.3 with the Maven 3 (builtin) so my instructions are based on that version and configuration of Maven.

Step 1: Create a file that you can modify.  Inside IntelliJ, select Help | Edit Custom VM Options...  Doing this will create a file you can add options to.  In my case the file was $HOME/.IntelliJIdea2017.3/config/idea64.vmoptions.

Step 2: I then added the following options to that file:

    -Djava.net.ssl.trustStore=$HOME/certs/mytrust.jks

    -Djava.net.ssl.trustStoreType=jks

     -Djava.net.ssl.trustStorePassword=WHATEVER-IT-IS

     -Dhttps.protocols=TLSv1.2

Step 3: Restart IntelliJ so it starts with those options.  NOTE: I edited the idea.sh script to verify that these options were being passed to the Java command that was starting IntelliJ.

After making these changes, IntelliJ could download files from the Maven Repo I was using.

Just FYI, the way I got this to work from the Unix command line was to set

    export MAVEN_OPTS="-Dmaven.wagon.https.ssl.insecure=true -Dmaven.wagon.https.ssl.allowall=true"

prior to running mvn. 

Since I don't know how IntelliJ implements the Maven3 builtin, I'm not sure if those options are "used" or not.  They were used by Maven 3.0.5 that was installed (outside of IntelliJ).

0
Comment actions Permalink

I downloaded the Kotlin JKid project and tried to build it.  

I got the following error: 

Error:Cause: unable to find valid certification path to requested target

Google found this page for me.  I followed the instructions above, but 2017.2.5 is still showing that error when I try to refresh a Gradle.  

I also manually added the certificate file using Tools->Server Certificates.

I restarted IntelliJ after each attempt.

No joy.  Any more advice?

 

 

0
Comment actions Permalink

Do you use proxy? If so, there is related issue: https://youtrack.jetbrains.com/issue/IDEA-153423

0
Comment actions Permalink

@Duffymo, I followed Jay's steps and have the same error with you. It took me a whole day to fix it. 

 

Solution: In Jay's step, "get the top most certificate", top most is very import. I think I dumped out the wrong certificate in the beginning. 

 

I was using Chrome browser, click the lock icon at left address link, it will pop out a certificate dialog. On the detail tab, there is a copy to file button which can dump out a certificate. Attention, this is a wrong way, DO NOT click this button to dump. There is also a certificate path tab on that dialog, click it, and choose the top most certificate, and click view certificate button, a dialog will pop out, and then dump out that certificate. It will work.

 

It is a little bit complicated, wish it will help you.

0
Comment actions Permalink

@Duffymo, have same problem? but with 2018.2.2 should i add top cert of my proxy, or of bintray.com?

0
Comment actions Permalink

@Leon Ren it's right, you have to get the right certificate, apply it to all your java installations just in case and then restart your windows.

Thank you guys! I would have never solved this on my own!!!

0
Comment actions Permalink

@Jay

Thank you, it worked!

0
Comment actions Permalink

@Jay

Thanks for clear clarification. You saved my day. 

0

Please sign in to leave a comment.