When trying to call one of our external web services from Apex code, I get an error stating that it is unable to find valid certification path to requested target.
System.CalloutException: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
According to google result, it seems that there is an issue validating the SSL Certificate for our service. I spoke with the admin person for that server and he told me it is not expired, verified CA through Thawte, plus other outside software is accessing it without any issues.
We also tried going to "Certificate and Key Management" in Salesforce and selected "Import from Keystore" but not sure what JKS file to import. I do have the cert file but not sure how Salesforce can use it.
Is there something we need to put into the Keystore and then import it into the organization? Do we have to create a new certificate under "Certificate and Key Management" and then use that as the certificate for our external web service?
The external web service that I'm trying to access is:
- apps.daikinapplied.com/McQuayToolsSrvc/Authentication.asmx
Some of the operations on this service that I am using are:
- SalesPortalUrl()
- ValidateSession(double sessionId)
- GetUserInfoBySessionId (double sessionId)
It works with all other .NET Applications and I also verified that it works in wcftestclient (Microsoft tool). I added the following Remote Site in Salesforce:
- apps.daikinapplied.com
On the Developer Console, I tested access with the following code which produces the exception error:
Http h = new Http();
HttpRequest req = new HttpRequest();
req.setMethod('POST');
req.setHeader('Accept-Encoding','gzip,deflate');
req.setHeader('Content-Type','text/xml;charset=UTF-8'); req.setEndpoint('apps.daikinapplied.com/McQuayToolsSrvc/Authentication.asmx');
// NOTE: For the requestString variable below the editor here wouldn't let me add the < symbol in front of the tags. Not sure why
String requestString = 'soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">' +
'soap:Body>' +
'SalesPortalUrl xmlns="http://tempuri.org/" />' +
'/soap:Body>' +
'/soap:Envelope>';
req.setHeader('Content-Length',String.valueOf(requestString.length()));
req.setBody(requestString);
HttpResponse res = h.send(req);
string bodyRes=res.getBody();
System.debug(bodyRes);
Any help you can provide would be appreciated!
Best Answer
I believe the problem is different. In salesforce you can talk to only those servers which includes digital certificates which are signed by Certificate Authorities to which salesforce trusts. Here certificate authority for your endpoint- https://apps.daikinapplied.com/McQuayToolsSrvc/Authentication.asmx is "Kaspersky Antivirus Personal Root Certificate". This is not listed as trusted certificate in the list provided by Salesforce. https://developer.salesforce.com/page/Outbound_Messaging_SSL_CA_Certificates#addtrustclass1ca Also if you check at https://www.digicert.com/help/
2: https://www.digicert.com/help/ your endpoints certificate is not trusted one. Attached image for your reference. So solution would be to ask your integration party to have a certificate installed which is signed by CA to which salesforce trusts.
Let me know if this helps.