Project

General

Profile

Bug #8629

unable to find valid certificate path to requested target when importing a DataONE ontology into Protege

Added by Bryce Mecum over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
2018-06-25
Due date:
% Done:

100%

Milestone:
None
Product Version:
*
Story Points:
Sprint:

Description

This bug came from Mark Schildhauer and Margaret O'Brien.

While using Protege to import https://purl.dataone.org/obo/ENVO_import.owl, the following error pops up:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


Full Stack Trace
-----------------------------------------------------------------------------------------

org.semanticweb.owlapi.io.OWLOntologyCreationIOException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at uk.ac.manchester.cs.owl.owlapi.OWLOntologyFactoryImpl.loadOWLOntology(OWLOntologyFactoryImpl.java:207)
    at uk.ac.manchester.cs.owl.owlapi.OWLOntologyManagerImpl.actualParse(OWLOntologyManagerImpl.java:1099)
    at uk.ac.manchester.cs.owl.owlapi.OWLOntologyManagerImpl.loadOntology(OWLOntologyManagerImpl.java:1055)
    at uk.ac.manchester.cs.owl.owlapi.OWLOntologyManagerImpl.loadOntologyFromOntologyDocument(OWLOntologyManagerImpl.java:1011)
    at org.protege.editor.owl.model.io.OntologyLoader.loadOntologyInternal(OntologyLoader.java:101)
    at org.protege.editor.owl.model.io.OntologyLoader.lambda$loadOntologyInOtherThread$210(OntologyLoader.java:60)
    at org.protege.editor.owl.model.io.OntologyLoader$$Lambda$102/1971532877.call(Unknown Source)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
    at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1889)
    at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1884)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1883)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1456)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
    at org.semanticweb.owlapi.io.AbstractOWLParser.getInputStreamFromContentEncoding(AbstractOWLParser.java:165)
    at org.semanticweb.owlapi.io.AbstractOWLParser.getInputStream(AbstractOWLParser.java:127)
    at org.semanticweb.owlapi.io.AbstractOWLParser.getInputSource(AbstractOWLParser.java:232)
    at org.semanticweb.owlapi.rdf.rdfxml.parser.RDFXMLParser.parse(RDFXMLParser.java:72)
    at uk.ac.manchester.cs.owl.owlapi.OWLOntologyFactoryImpl.loadOWLOntology(OWLOntologyFactoryImpl.java:197)
    ... 10 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:904)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
    at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:2942)
    at java.net.URLConnection.getContentEncoding(URLConnection.java:523)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getContentEncoding(HttpsURLConnectionImpl.java:410)
    at org.semanticweb.owlapi.io.AbstractOWLParser.getInputStream(AbstractOWLParser.java:122)
    ... 13 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
    ... 28 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
    ... 34 more

To reproduce:

That PURL link redirects to a GitHub raw URL which does not reproduce this error. The version of Protege I'm using makes use of its own version of Java:

❯ /Applications/Protégé.app/Contents/Plugins/JRE/Contents/Home/jre/bin/java -version
java version "1.8.0_40"
Java(TM) SE Runtime Environment (build 1.8.0_40-b27)
Java HotSpot(TM) 64-Bit Server VM (build 25.40-b25, mixed mode)

A quick Google reveals it could be because Java isn't getting enough of the certificate chain back from the web server but quick run of https://www.ssllabs.com/ssltest/analyze.html?d=purl.dataone.org makes everything look in order.

Any ideas?

URLConnectionReader.class (1 KB) Dave Vieglais, 2018-06-25 22:37

History

#1 Updated by Dave Vieglais over 4 years ago

That link is a redirect to:

https://raw.githubusercontent.com/DataONEorg/sem-prov-ontologies/run4/observation/ENVO_import.owl

Perhaps the issue is from the redirect or something with the cert at github?

Checked github with ssllabs, and the results are A+, so either something with the redirect or the cert on purl. Assuming redirect worked in the past, then perhaps the cert or apache config on purl (ssl labs reports only B for purl.dataone.org)

#2 Updated by Dave Vieglais over 4 years ago

purl.dataone.org uses virtualhosts to serve multiple hosts via SNI. Using:

echo "Q" | openssl s_client -connect "purl.dataone.org:443" | openssl x509 -text -noout

Showed a certificate from another virtual host.

The default host was switched purl.dataone.org to provide support for hosts that don't properly support SNI requests. The openssl command above returns the correct cert for purl.dataone.org

#3 Updated by Dave Vieglais over 4 years ago

Try running the attached jar, java URLConnectionReader. Should print the owl file.

Source:

import java.net.*;
import java.io.*;

public class URLConnectionReader {
    public static void main(String[] args) throws Exception {
        URL oracle = new URL("https://purl.dataone.org/obo/ENVO_import.owl");
        URLConnection yc = oracle.openConnection();
        BufferedReader in = new BufferedReader(new InputStreamReader(
                                    yc.getInputStream()));
        String inputLine;
        while ((inputLine = in.readLine()) != null)
            System.out.println(inputLine);
        in.close();
    }
}

#4 Updated by Bryce Mecum over 4 years ago

That works. I got back the OWL file.

I'm running Java 10, so I bet this is an issue just with the Java 8 bundles with Protege. There's a version of Protege that doesn't bundle Java but I can't get it to run on Java 10.

#5 Updated by Bryce Mecum over 4 years ago

I found a fork of Protege that runs on Java 10, built it, and tried to open the problem URL and it works. Pretty clearly isolated to it being a Java 8 issue and not a Protege one beyond the fact that Protege doesn't work on Java 10 (which is kind of an issue here).

#6 Updated by Bryce Mecum over 4 years ago

Is there any way for us to work around this for our users? Protege is pretty much the only way I have seen our groups working with ontologies.

#7 Updated by Dave Vieglais over 4 years ago

Upgrade the java install to Java 8 >= 101

https://letsencrypt.org/docs/certificate-compatibility/

#8 Updated by Dave Vieglais over 4 years ago

  • Status changed from New to Closed
  • Assignee set to Dave Vieglais
  • % Done changed from 0 to 100

Closing as not a DataONE issue. Should be resolved by users upgrading to a less buggy version of Java, and should be pushing on Protege for support on this.

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 14.8 MB)