libHttpClient.request on a site with invalid SSL certificate

Enonic version: 6.15.2
OS: MacOs

So when using libHttp to request from a site with an invalid SSL certificate you get this:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (java.lang.RuntimeException)

Using firefox I’m able to download the invalid certificate in file many formats.

How do I add this invalid certificate to the Java environment that Enonic XP is using.

And will it help?

Relevant? httpClientLib - Send request with certificate authentication

What I personally do for testing:

  • I have a copy of the cacerts file
    • (Located originally in $JAVA_HOME/jre/lib/security)
  • I export the certificate as DER format from firefox
  • I import the certificate in my custom cacerts
    • keytool -import -alias [alias] -keystore [customcacerts] -file [certificate.crt]
  • I check that it is correctly imported:
    • keytool -list -v -keystore [customcacerts]
  • Then when starting Enonic XP, I make sure this custom cacerts is used
    • -Djavax.net.ssl.trustStore=[customcacerts_path]

The default password for the cacerts file is “changeit”