How to solve PKIX error when Studio connects to Talend Cloud

Problem Description

Trying to connect to Talend Cloud in Studio (using your credentials), results in the following error message:

Screenshot from 2019-04-11 15-37-41.png

 

Using the same credentials, connecting to TMC in a browser works as expected.

 

In Studio, the .log file shows the following error message:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

Root Cause

When Studio connects to Talend Cloud, the expected certificate is CN=tds.us.cloud.talend.com, OU=Domain Control Validated signed by CN=Go Daddy Secure Certificate Authority - G2, as shown below:

Version: V3

  Subject: CN=tds.us.cloud.talend.com, OU=Domain Control Validated

  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

..

  Validity: [From: Fri Nov 09 03:48:25 PST 2018,

               To: Sat Nov 09 03:48:25 PST 2019]

  Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US

To enforce security, some companies use an intelligent proxy with SSL Forward feature. In this case, the SSL connections from Cloud ends on the proxy, which creates the SSL connections with Studio by issuing a certificate with the same name as the Talend Cloud certificate but signed by its own CA. For more information, see the Palo Alto Network, SSL Forward Proxy page.

 

Solution

  1. Collect the Studio SSL log traces, by following the instructions in the How to collect debug traces for Studio connection to Talend Cloud SSL, KB Community article.

  2. Check for the relevant messages:

    certpath: X509CertSelector.match: subject DNs don't match
    ...
    main, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
    main, WRITE: TLSv1.2 Alert, length = 2
    ...
    main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: 
     path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    You will find that the certificate is causing the problem because the issuer is not in the cacert file used by Studio.

  3. Add the missing CA certificate into the cacert used by Studio.

Version history
Revision #:
7 of 7
Last update:
‎10-07-2019 09:46 AM
Updated by:
 
Labels (2)