Error http get PKIX path building failed


I have the error below when my gateway execute an event script.
My script works when I use the script console on the designer.
I use my designer directly on my gateway server.

Do you know what it means ?

com.inductiveautomation.ignition.common.script.JythonExecException: Traceback (most recent call last): File "", line 31, in IOError: PKIX path building failed: unable to find valid certification path to requested target
at org.python.core.Py.fromIOException(
at org.python.core.Py.IOError(
at com.inductiveautomation.ignition.common.script.builtin.AbstractNetUtilities.httpGet(
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.python.core.PyReflectedFunction.__call__(
at com.inductiveautomation.ignition.common.script.ScriptManager$ReflectedInstanceFunction.__call__(
at org.python.core.PyObject.__call__(
at org.python.core.PyObject.__call__(
at org.python.pycode._pyx1.f$0(:36)
at org.python.pycode._pyx1.call_function()
at org.python.core.Py.runCode(
at com.inductiveautomation.ignition.common.script.ScriptManager.runCode(
at com.inductiveautomation.ignition.common.script.ScriptManager.runCode(
at com.inductiveautomation.ignition.common.script.TagChangeScriptExecutor$TagChangeExecutionCallback.execute(
at com.inductiveautomation.ignition.common.script.TagChangeScriptExecutor$TagChangeExecutionCallback.execute(
at com.inductiveautomation.ignition.common.util.SerialExecutionQueue$
at java.util.concurrent.Executors$ Source)
at Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$ Source)
at Source)
Caused by: org.python.core.PyException: Traceback (most recent call last): File "", line 31, in IOError: PKIX path building failed: unable to find valid certification path to requested target
... 26 common frames omitted


It means that the certificate of the server isn't trusted by the client.

It's interesting that it works on the script console but not in the gateway. This could be because the version of the JDK running the Designer has the root in its trust store but the different version of the JDK running the Gateway does not. Whether this is because one is out of date or because you've explicitly added it to one of them is unknown.

You also marked this 7.9, which means the Designer could have been launched with a Java installed on the system, which could be paying attention to system proxy settings in some way that manners.



How can I change JDK trust store on my server ?

You have to import the certificate into the keystore at $JAVA_HOME/jre/lib/security/cacerts or something like that. You'll have to use either keytool or something like KeyStore Explorer. I believe the default password is changeit.

You need to import the root CA of the chain signing this server's certificate, not the server certificate itself, unless it's a self-signed certificate.

It's a Certbot certificate which is renewed automatically every month.
It seems difficult to do.

If you're talking about a public domain signed by Let's Encrypt then it should be trusted already, unless you're signing using one of the older/expired LE roots.

Can you provide a copy of the certificate chain for this server? Did you check which version of Java is running the Ignition Gateway?

Yes it's Let's Encrypt.
Do you want chain.pem, fullchain.pem, cert.pem or privkey.pem ?

Everything but the privkey would be useful.

Also stop ignoring my question about Java version.

Java version is 1.8.0_144.

My privkey below.

Everything but the private key. That's private to you.

You said "privkey would be useful".
So what file do you want ?

I will attempt to clarify: Kevin said: "Everything BUT the privKey" In this case, the word but is a negation term meaning send a copy of the certificate chain for this server but do NOT include the privkey.

I will send you chain.pem.

Here my chain.pem file. (2.7 KB)

Is this the version running your Gateway or your Designer? You should be able to see the version the Gateway uses on the status page:

Gateway : 1.8.0_144-b01

Okay, well that version should already have the ISRG Root X1 certificate in its trusted root list, but you might want to try importing it anyway just in case. Or upgrade to the latest JDK 8.

The other times we've seen issues like this is when on a corporate network with a nosy firewall or security appliance that is injecting a certificate signed by a corporate CA so it can MITM SSL/TLS traffic. This is trickier to diagnose, so you might chase the other option down first.


How can I import the ISRG Root X1 in Java ?