PKIX path building failed remedy
You may encounter the error code "PKIX path building failed" if you are using Liquibase MongoDB Pro with Amazon DocumentDB TLS/SSL Configuration alongside the AWS extension or the individual AWS Secrets Manager Extension. This is caused by a lack of required certificates in your custom Java Truststore. Follow the guide below to resolve the error.
Error
Unexpected error running Liquibase: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Remedy
- Enter this command into the CLI to create a new combined truststore from your default Java CAcerts:
Linux syntax:
keytool -importkeystore -srckeystore "$JAVA_HOME/lib/security/cacerts" -srcstorepass changeit -destkeystore s3-docdb-combined-truststore.jks -deststorepass MyCombinedPassword -noprompt
Windows syntax:
keytool -importkeystore -srckeystore "%JAVA_HOME%\lib\security\cacerts" -srcstorepass changeit -destkeystore s3-docdb-combined-truststore.jks -deststorepass MyCombinedPassword -noprompt
-
Copy the new truststore to the same directory as your existing truststore used for AMazon DocumentDB TLS/SSL.
In this example we will copy the news3-docdb-combined-truststore.jksto the location ofrds-truststore.jks. -
Run this command to merge the contents of both truststores into one.
keytool -importkeystore -srckeystore rds-truststore.jks -srcstorepass SOME_PASSWORD -destkeystore s3-docdb-combined-truststore.jks -deststorepass MyCombinedPassword
-
Run this command to set the JAVA_OPTS Environment Variable for Liquibase to recognize the new truststore:
Linux syntax:
export JAVA_OPTS="-Djavax.net.ssl.trustStore=ABSOLUTE_PATH_TO_TRUSTSTORE/s3-docdb-combined-truststore.jks -Djavax.net.ssl.trustStorePassword=MyCombinedPassword"
Windows syntax:
set JAVA_OPTS=-Djavax.net.ssl.trustStore=C:\path\to\s3-docdb-combined-truststore.jks -Djavax.net.ssl.trustStorePassword=MyCombinedPassword
