IDEA Ultimate 2016.3.4 throwing "unable to find valid certification path to requested target" when trying to refresh gradle

Answered

I've just downloaded IDEA Ultimate 2016.3.4 via the Toolbox application, and tried to import a new gradle project. When I try and refresh it I'm faced with "Error: Cause: unable to find valid certification path to requested target". I'm using IDEA behind a company proxy, however this has never been an issue before. I tried adding our certificates into IDEA and still came up empty. The only thing that has changed is that I upgraded from the community edition to the ultimate edition.

Has anyone encountered this before? Or have any guidance on what I can try next. I'm out of ideas.

 

Here is what came out in my logs

[ 10738] INFO - ibility.VersionMetadataUpdater - Failed to parse XML metadata
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1513)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
at com.intellij.util.io.HttpRequests.openConnection(HttpRequests.java:484)
at com.intellij.util.io.HttpRequests.access$300(HttpRequests.java:57)
at com.intellij.util.io.HttpRequests$RequestImpl.getConnection(HttpRequests.java:278)
at com.intellij.util.io.HttpRequests$RequestImpl.getInputStream(HttpRequests.java:287)
at com.intellij.util.io.HttpRequests$RequestImpl.getReader(HttpRequests.java:305)
at com.intellij.util.io.HttpRequests$RequestImpl.getReader(HttpRequests.java:298)
at com.android.tools.idea.gradle.project.compatibility.VersionMetadataUpdater$3$1.process(VersionMetadataUpdater.java:92)
at com.android.tools.idea.gradle.project.compatibility.VersionMetadataUpdater$3$1.process(VersionMetadataUpdater.java:88)
at com.intellij.util.io.HttpRequests.doProcess(HttpRequests.java:413)
at com.intellij.util.io.HttpRequests.process(HttpRequests.java:390)
at com.intellij.util.io.HttpRequests.access$100(HttpRequests.java:57)
at com.intellij.util.io.HttpRequests$RequestBuilderImpl.connect(HttpRequests.java:252)
at com.android.tools.idea.gradle.project.compatibility.VersionMetadataUpdater$3.run(VersionMetadataUpdater.java:88)
at com.intellij.openapi.application.impl.ApplicationImpl$2.run(ApplicationImpl.java:309)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
... 32 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)

1
50 comments
Official comment

The issue was submitted to support and closed with the following comment:

it turns out this was not an IDEA issue. This was a gradle wrapper issue that was manifesting itself through IDEA. Our networking guys are messing with something. I'm sorry to waste your time.

Any idea what was the fix?

1

Hi

I am having the same issue...any idea if it is fixed already or any work around ?

 

1
Avatar
Permanently deleted user

@Serge Baranov

Eh, this is a Jetbrains/IDEA issue. Despite being able to pick the gradle wrapper's Java installation, the grabbing of the wrapper is still done with the JRE which the IDE is currently using... Preventing the wrapper from even starting. It should prompt to trust the certificate like everywhere else in the IDE but it does not. In the interim I have posted instructions to fix this for those who need it. (This issue persists in 2017.2.1)

@Nisarg @Sebas Panikulam @David Edwards

Just import your proxy's certificate into all utilized instances of "cacerts" keystores.

  1. You likely have a proxy which is intercepting (via MITM) your traffic. Locate your network's certificate: In a browser, navigate to "https://www.google.com" hit F12, go to certificates/security and get the top most certificate... Export it to MyCertificate.cer (base64 encoded). This process is different for each OS and Browser. If you're on a linux/mac something like echo -n | openssl s_client -connect google.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/MyCertificate.cer should get the certificate for you in a terminal (assuming you have your distributions net-utils package installed).
  2. In a terminal, navigate to your Jetbrains installation (whichever IDE it is doesn't matter). Inside of the base folder navigate to the folder "jre64" or "jre32" or "jre" -> "lib" -> "security"
  3. Copy over MyCertificate.cer into the security folder. (mv /tmp/MyCertificate.cer)
  4. Type "keytool -keystore cacerts -importcert -alias MyCertificate -file MyCertificate.cer" without quotes.
  5. Use the default password of "changeit" (Without quotes, obviously.)
  6. When prompted to trust the certificate type "yes" (Without quotes...). Hit enter.
  7. Restart the IDE in question and it should now function normally. Repeat this process for all java (including jdk) installations and jetbrains tools just to be safe. The relative path is the same regardless: jre -> lib -> security
  • If keytool is not found, you're probably on windows so try "%JAVA_HOME%/jre/bin/keytool" -keystore cacerts -importcert -alias MyCertificate -file MyCertificate.cer
  • Otherwise, locate your keytool in wherever you have java installed or use the one in "jre(64|32)?" -> "bin"
22

@Jay
Thank you very much for saving my nerves with your solution!

@Serge Baranov
Please communicate the issue to the developer team

0
Avatar
Permanently deleted user

Thanks :)

After breaking my head for a long time, found this and this resolved my issue. 

0
Avatar
Permanently deleted user

You my friend deserve a medal! for clear description alone

0

I tried the solution suggested and still ran into a problem.  I do think the suggested/accepted solution will work but I had another problem in that IntelliJ also needed to make a TLSv1.2 connection to download a maven artifact.

The solution I came across through some trial and error was to edit the IntelliJ VM Options.  I'm using IntelliJ Ultimate 2017.3 with the Maven 3 (builtin) so my instructions are based on that version and configuration of Maven.

Step 1: Create a file that you can modify.  Inside IntelliJ, select Help | Edit Custom VM Options...  Doing this will create a file you can add options to.  In my case the file was $HOME/.IntelliJIdea2017.3/config/idea64.vmoptions.

Step 2: I then added the following options to that file:

    -Djava.net.ssl.trustStore=$HOME/certs/mytrust.jks

    -Djava.net.ssl.trustStoreType=jks

     -Djava.net.ssl.trustStorePassword=WHATEVER-IT-IS

     -Dhttps.protocols=TLSv1.2

Step 3: Restart IntelliJ so it starts with those options.  NOTE: I edited the idea.sh script to verify that these options were being passed to the Java command that was starting IntelliJ.

After making these changes, IntelliJ could download files from the Maven Repo I was using.

Just FYI, the way I got this to work from the Unix command line was to set

    export MAVEN_OPTS="-Dmaven.wagon.https.ssl.insecure=true -Dmaven.wagon.https.ssl.allowall=true"

prior to running mvn. 

Since I don't know how IntelliJ implements the Maven3 builtin, I'm not sure if those options are "used" or not.  They were used by Maven 3.0.5 that was installed (outside of IntelliJ).

1

I downloaded the Kotlin JKid project and tried to build it.  

I got the following error: 

Error:Cause: unable to find valid certification path to requested target

Google found this page for me.  I followed the instructions above, but 2017.2.5 is still showing that error when I try to refresh a Gradle.  

I also manually added the certificate file using Tools->Server Certificates.

I restarted IntelliJ after each attempt.

No joy.  Any more advice?

 

 

0

@Duffymo, I followed Jay's steps and have the same error with you. It took me a whole day to fix it. 

 

Solution: In Jay's step, "get the top most certificate", top most is very import. I think I dumped out the wrong certificate in the beginning. 

 

I was using Chrome browser, click the lock icon at left address link, it will pop out a certificate dialog. On the detail tab, there is a copy to file button which can dump out a certificate. Attention, this is a wrong way, DO NOT click this button to dump. There is also a certificate path tab on that dialog, click it, and choose the top most certificate, and click view certificate button, a dialog will pop out, and then dump out that certificate. It will work.

 

It is a little bit complicated, wish it will help you.

1

@Duffymo, have same problem? but with 2018.2.2 should i add top cert of my proxy, or of bintray.com?

0
Avatar
Permanently deleted user

@Leon Ren it's right, you have to get the right certificate, apply it to all your java installations just in case and then restart your windows.

Thank you guys! I would have never solved this on my own!!!

0

@Jay

Thank you, it worked!

0

@Jay

Thanks for clear clarification. You saved my day. 

0
Avatar
Permanently deleted user

@...

Thank you so much. Years later, and you're still saving people's days. Why is Jetbrains not fixing this?

0

try this Intellij > Preferences > Build,Execution,Deployment > Build Tools > Maven > Runner > Delegate IDE build/run actions to Maven. then Rebuild your project

0

This is also a problem wtih 2020.1. The upgrade doesn't copy over the VM arguments from the Build Tools/Maven/Runner settings, so you have to set them again. Of course, it's probably been more than a year since you've set them the first time, and have probably forgotten about them, but you have to "-Djavax.net.ssl.trustStore="c:\Program Files\java\jdk8\jre\lib\security\cacerts"", assuming you installed Java to the default location on Windows.

1

I added the certs into the keystore, however, I still encountered the issue.

Here is an extra step that worked for me, so passing it on with hope that it'll help someone else.

From within Intellij, go to Maven Settings -> Importing

Look at the selected path in the "JDK for importer".

I had it to "User Internal JRE".

I changed it to "Use JAVA_HOME (xxxx)"

Click Apply.

Do Maven "re-import".

Good luck.

2

https://intellij-support.jetbrains.com/hc/en-us/profiles/1084050104-Jay 

Jay's solution finally solved my problem. I had been Googling for a whole afternoon before I got here. Thank you so much, Jay.

However, IDEA had been working well on my laptop for almost a year before the certificate problem started to happen 2 weeks ago.

Since I didn't change anything on my computer, I think the Symantec should be the culprit --- it is remotely controlled by the IT team and I think they must have changed some configuration.

Anyway, thank you very much, Jay.

0

I get a similar error even after following Jay's solution.

:::: ERRORS
Server access Error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target url=https://repo1.maven.org/maven2/org/scala-sbt/sbt/0.13.9/sbt-0.13.9.pom

Any ideas?

0

I did the whole process again but this time I downloaded the root certificate from the browser instead of using step 1 of Jay's answer. This time it works but I am not sure this was the reason, just in case it can help someone.

0

Still encountering this issue in 2020.3.2, tried Jay's solution but didn't manage to make it work.

 

I also think something's quite unclear about his explaination:

"In a browser, navigate to "https://www.google.com" hit F12, go to certificates/security and..."

This procedure gets you the certificate used by the site you're on, I can't find a way to download a 'personal' certificate since you can't F12 (or click on the lock icon etc etc) if not on a site.

 

"In a terminal, navigate to your Jetbrains installation (whichever IDE it is doesn't matter). Inside of the base folder navigate to the folder "jre64" or "jre32" or "jre" -> "lib" -> "security""

I only have a 'jbr' folder, I tried with that one

 

"Copy over MyCertificate.cer into the security folder. (mv /tmp/MyCertificate.cer)"

What's up with the path between brackets? Should I copy the file into 'security' or I have to create two more folders?

3

> This procedure gets you the certificate used by the site you're on, I can't find a way to download a 'personal' certificate since you can't F12 (or click on the lock icon etc etc) if not on a site.

Please try to export a top-level certificate as per https://intellij-support.jetbrains.com/hc/en-us/community/posts/115000094584/comments/360000110684 .

 

 

0

Version 2020.3 and this still hasn't been solved. I have the corporate cert added via the GUI: Preferences > Tools > Server Certificates. That should be enough. IntelliJ should be adding the cert to both the GUI store and its JRE store if it can bother to trust the OS.

For those of you on a Mac using the JetBrains JRE try this:

cd /Applications/IntelliJ\ IDEA.app/Contents/jbr/Contents/Home
./bin/keytool -keystore lib/security/cacerts -importcert -alias CorpCert -file <path to your cert>

That solved the problem for me. Your IT departments should be able to provide you with the cert file you'll need.

0

Hi, I have downloaded Intelli-J IDEA community version from the website https://www.jetbrains.com/idea/download/#section=windows.

I have also downloaded illuminated cloud 2 plugin in intell-J IDE. But I keep getting "unable to find valid certification path to requested target" error and not able to find a solution. Please refer to the below screenshot.

 

I have tried the above mentioned solution by Jay. 

- I downloaded the top most certificate and put it inside C:\Program Files\JetBrains\IntelliJ IDEA Community Edition 2020.3.2\jbr\lib\security folder.

Note: I could only find /jbr/lib/Security since I cant find "jre" -> "lib" -> "security"".

Please help me to resolve this issue. I appreciate your support.

Thanks,

Khushbu

0

I did all the steps mentioned in the comment. Added MyCertificate to the keystore of java and JetBrains JRE but no luck. Still get the same error.

0

In which keystore did you install the certificate?

1

Please sign in to leave a comment.