SSLHandshake Exceptions When Connecting to ThingWorx Platform
Handshake Exception: Unable to find valid certification path to requested target
You are testing the Connection using a self signed certificate. The Connection Server fails to connect to the ThingWorx Platform, and the Connection Server Log log shows the following messages:
2020-08-15T15:30:20.740 [NettyClient-NIO-7] WARN c.t.s.i.t.netty.NettyChannelHandler - [ClientHandler: d86fd220] SSLHandshake Exception, websocket not created:
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:327)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:270)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:265)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:646)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:465)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:361)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:451)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:987)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:974)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:921)
at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1510)
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1524)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1408)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1235)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1282)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:498)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:437)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at sun.security.validator.Validator.validate(Validator.java:271)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:312)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:275)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:140)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:624)
SOLUTION
The certificate that you are using has not been added to the trust store. If you are using a self-signed certificate (for development purposes only, NEVER in production), you need to import the self-signed certificate into the $JAVA_HOME/jre/lib/security/cacerts trust store.
Handshake Exception: No name matching <host_address>
You are testing the Connection Server configuration with the ThingWorx Platform, using a self-signed certificate and you have added it to the trust store. The Connection Server fails to connect to the ThingWorx Platform, and the Connection Server log shows a message similar to the following:
javax.net.ssl.SSLHandshakeException: No name matching pp-2008060535yw.portal.ptc.io found
SOLUTION
This message means that the name you are connecting to the platform with, pp-2008060535yw.portal.ptc.io, does not match the certificate's Subject CN or Subject Alternative Name DNS entries. The best and most secure solution is to make the platform's host name mach the certificate details.
If you cannot do that, you can disable host name verification. However, this solution is considered insecure and against security best practices. To disable host name verification, set cx-server.transport.websockets.connections.verifyHostName = false in the configuration file for your Connection Server.
Handshake Exception: Websocket Not Connected and General SSL Engine Problem
You are testing the configuration with self-signed certificates, or terminating TLS before the ThingWorx Platform. You need to ensure the Connection Server can accept those certificates. The Connection Server fails to connect to the ThingWorx Platform, and the Connection Server logs show messages similar to the following:
18:35:47.539 [NettyClient-NIO-4] WARN c.t.s.i.t.netty.NettyChannelHandler -
[ClientHandler: 374e82b8] SSLHandshake Exception, websocket not created:
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
...
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709)
...
SOLUTION
Make sure you are using valid certificates. If you want to use self-signed certificates on the ThingWorx Platform for testing, make sure they are added to the Java trust store ($JAVA_HOME/jre/lib/security/cacerts on the Connection Server.
If TLS is terminated before the Connection Server-to-ThingWorx network (not recommended configuration), make sure to connect from the Connection Server to ThingWorx Platform over a non-TLS connection. To set up the non-TLS connection between the Connection Server and the Platform:
◦ If you are using the Connection Server in an ThingWorx High Availability (HA), you should have configured the Connection Server to use discovery to locate the ThingWorx Platform instances by setting transport.websockets.service-discovery.enabled to true. To use a non-TLS connection between the Connection Server and the platform, make sure that you have also set the following:
transport.websockets.service-discovery.tls-enabled = false
transport.websockets.service-discovery.service-name = "thingworx-http"
◦ If you are using the ThingWorx Platform in single-server mode, make sure that you configure the Connection Server as follows for a non-TLS connection:
a. The URI of the ThingWorx Platform to which the Connection Server will connect must use ws instead of wss. The property is in the group, cx-server.transport.websockets, with the application key property. For example:
cx-server {
transport.webxockets {
app-key = "<your_app_key>"
platforms = "ws://twxplatform:8080/ThingWorx/WS"