My client doesn't trust CA
ivall opened this issue · 4 comments
Hello, I'm using HTTP Toolkit and my client doesn't trust certificate authority (CA), so I can't intercept HTTPS traffic. This is my command:
java -javaagent:agent.jar="127.0.0.1|8000|ca.pem" -jar ./server.jar
Error:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I'm using okhttp3 and the newest version of this jvm agent.
Hi @ivall, thanks for reporting this, that's very interesting! Is there any way you can share a standalone reproduction for this issue?
Which version of okhttp3 specifically are you using? In the current test suite we test against okhttp3 v4.9.1, but there could plausibly be differences in this vs other okhttp3 versions.
Hi @pimterry, I'm using okhttp3 v4.10.0. I have this issue in this project: https://github.com/ivall/VIshop-plugin
I've now updated the agent to test against 4.10.0, but that still seems to be working correctly, so I don't think this is a general OkHttp issue.
I can't see anything obviously wrong in that repo you linked, but also I can't easily run it myself to see the issue.
Can you share a standalone example? If you could create a small repo with a unit test I can run that directly reproduces this issue, then I can run that myself easily to fix this. If you could add a test or script or something to that repo, so I can clone it & immediately run the script with no other dependencies, then that would work too. It needs to be something I can easily & quickly run on my machine, to be able to debug this and test fixes.
Alternatively, if you can tell what triggers this issue, that would be very interesting and I should be able to set up my own repro from there. Okhttp3 clearly does work, since the tests pass, so there must be some detail about how you're using it or some system configuration that is causing the problems here. If there are any things you can test (anything related to certificate configuration particularly) then that would be helpful.
Closing for now, but I'm happy to reopen and investigate further if you can share an easy way I can reproduce this issue or any further info about the cause.