Bug #8629
unable to find valid certificate path to requested target when importing a DataONE ontology into Protege
100%
Description
This bug came from Mark Schildhauer and Margaret O'Brien.
While using Protege to import https://purl.dataone.org/obo/ENVO_import.owl, the following error pops up:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Full Stack Trace ----------------------------------------------------------------------------------------- org.semanticweb.owlapi.io.OWLOntologyCreationIOException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at uk.ac.manchester.cs.owl.owlapi.OWLOntologyFactoryImpl.loadOWLOntology(OWLOntologyFactoryImpl.java:207) at uk.ac.manchester.cs.owl.owlapi.OWLOntologyManagerImpl.actualParse(OWLOntologyManagerImpl.java:1099) at uk.ac.manchester.cs.owl.owlapi.OWLOntologyManagerImpl.loadOntology(OWLOntologyManagerImpl.java:1055) at uk.ac.manchester.cs.owl.owlapi.OWLOntologyManagerImpl.loadOntologyFromOntologyDocument(OWLOntologyManagerImpl.java:1011) at org.protege.editor.owl.model.io.OntologyLoader.loadOntologyInternal(OntologyLoader.java:101) at org.protege.editor.owl.model.io.OntologyLoader.lambda$loadOntologyInOtherThread$210(OntologyLoader.java:60) at org.protege.editor.owl.model.io.OntologyLoader$$Lambda$102/1971532877.call(Unknown Source) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:422) at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1889) at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1884) at java.security.AccessController.doPrivileged(Native Method) at sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1883) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1456) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) at org.semanticweb.owlapi.io.AbstractOWLParser.getInputStreamFromContentEncoding(AbstractOWLParser.java:165) at org.semanticweb.owlapi.io.AbstractOWLParser.getInputStream(AbstractOWLParser.java:127) at org.semanticweb.owlapi.io.AbstractOWLParser.getInputSource(AbstractOWLParser.java:232) at org.semanticweb.owlapi.rdf.rdfxml.parser.RDFXMLParser.parse(RDFXMLParser.java:72) at uk.ac.manchester.cs.owl.owlapi.OWLOntologyFactoryImpl.loadOWLOntology(OWLOntologyFactoryImpl.java:197) ... 10 more Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969) at sun.security.ssl.Handshaker.process_record(Handshaker.java:904) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440) at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:2942) at java.net.URLConnection.getContentEncoding(URLConnection.java:523) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getContentEncoding(HttpsURLConnectionImpl.java:410) at org.semanticweb.owlapi.io.AbstractOWLParser.getInputStream(AbstractOWLParser.java:122) ... 13 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) ... 28 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ... 34 more
To reproduce:
- Open Protege
- Open from URL
- Paste and open 'https://purl.dataone.org/obo/ENVO_import.owl'
- See the stack trace
That PURL link redirects to a GitHub raw URL which does not reproduce this error. The version of Protege I'm using makes use of its own version of Java:
❯ /Applications/Protégé.app/Contents/Plugins/JRE/Contents/Home/jre/bin/java -version java version "1.8.0_40" Java(TM) SE Runtime Environment (build 1.8.0_40-b27) Java HotSpot(TM) 64-Bit Server VM (build 25.40-b25, mixed mode)
A quick Google reveals it could be because Java isn't getting enough of the certificate chain back from the web server but quick run of https://www.ssllabs.com/ssltest/analyze.html?d=purl.dataone.org makes everything look in order.
Any ideas?
History
#1 Updated by Dave Vieglais over 6 years ago
That link is a redirect to:
https://raw.githubusercontent.com/DataONEorg/sem-prov-ontologies/run4/observation/ENVO_import.owl
Perhaps the issue is from the redirect or something with the cert at github?
Checked github with ssllabs, and the results are A+, so either something with the redirect or the cert on purl. Assuming redirect worked in the past, then perhaps the cert or apache config on purl (ssl labs reports only B for purl.dataone.org)
#2 Updated by Dave Vieglais over 6 years ago
purl.dataone.org uses virtualhosts to serve multiple hosts via SNI. Using:
echo "Q" | openssl s_client -connect "purl.dataone.org:443" | openssl x509 -text -noout
Showed a certificate from another virtual host.
The default host was switched purl.dataone.org to provide support for hosts that don't properly support SNI requests. The openssl command above returns the correct cert for purl.dataone.org
#3 Updated by Dave Vieglais over 6 years ago
- File URLConnectionReader.class added
Try running the attached jar, java URLConnectionReader
. Should print the owl file.
Source:
import java.net.*; import java.io.*; public class URLConnectionReader { public static void main(String[] args) throws Exception { URL oracle = new URL("https://purl.dataone.org/obo/ENVO_import.owl"); URLConnection yc = oracle.openConnection(); BufferedReader in = new BufferedReader(new InputStreamReader( yc.getInputStream())); String inputLine; while ((inputLine = in.readLine()) != null) System.out.println(inputLine); in.close(); } }
#4 Updated by Bryce Mecum over 6 years ago
That works. I got back the OWL file.
I'm running Java 10, so I bet this is an issue just with the Java 8 bundles with Protege. There's a version of Protege that doesn't bundle Java but I can't get it to run on Java 10.
#5 Updated by Bryce Mecum over 6 years ago
I found a fork of Protege that runs on Java 10, built it, and tried to open the problem URL and it works. Pretty clearly isolated to it being a Java 8 issue and not a Protege one beyond the fact that Protege doesn't work on Java 10 (which is kind of an issue here).
#6 Updated by Bryce Mecum over 6 years ago
Is there any way for us to work around this for our users? Protege is pretty much the only way I have seen our groups working with ontologies.
#7 Updated by Dave Vieglais over 6 years ago
Upgrade the java install to Java 8 >= 101
#8 Updated by Dave Vieglais over 6 years ago
- Status changed from New to Closed
- Assignee set to Dave Vieglais
- % Done changed from 0 to 100
Closing as not a DataONE issue. Should be resolved by users upgrading to a less buggy version of Java, and should be pushing on Protege for support on this.