Search

SSL-and-TLS-Certificates

HTTPS uses an encryption protocol to encrypt communications. The protocol is called Transport Layer Security (TLS), although formerly it was known as Secure Sockets Layer (SSL). This protocol secures communications by using what’s known as an asymmetric public key infrastructure.

The two are tightly linked and TLS is really just the more modern, secure version of SSL. While SSL is still the dominant term on the Internet, most people really mean TLS when they say SSL, because both public versions of SSL are not secure and have long since been deprecated.

How to debug “General OpenSslEngine problem - unable to find valid certification path to requested target”

This indicates that you are unable to establish a trusted SSL connection over SSL.

This issue might arise if you are using a self-signed certificate or a certificate that’s been issued by an internal certificate authority, or if your clients (e.g., browser, Java) are outdated.

Possible reasons:

  • Something that happened in your Java framework installation directory has messed up its list of trusted providers. This can even be a simple version upgrade gone wrong.

  • The certificate at the third-party service may not be signed by a popular root CA or it could be signed by an intermediate CA that is not present in JRE’s trusted list.


❯ openssl s_client -showcerts -connect <domain-name>:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Mar  2 13:20:42 2022 GMT
notAfter=Mar  2 13:20:42 2023 GMT

❯ openssl s_client -showcerts -connect <domain-name>:443
CONNECTED(00000005)
depth=0 C = SE, ST = AB, L = Stockholm, O = ..., CN = ...
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = SE, ST = AB, L = Stockholm, O = ..., CN = ...
verify error:num=21:unable to verify the first certificate
verify return:1
...

Conclusion = certificate has recently changed and is broken.

More

Use ssllabs to find more info.

https://www.ssllabs.com/ssltest/
https://www.ssllabs.com/ssltest/analyze.html?d=<YOUR DOMAIN>

Or use SSLShopper.

https://www.sslshopper.com/ssl-checker.html#hostname=<YOUR DOMAIN>