Salesforce CalloutException - CertPathValidatorException
|Knowledge Article Number||000005287|
If you're getting the error message,"PKIX path validation failed: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed" find out why and how to fix it.
The main reason for this error is that the endpoint is presenting a certificate chain that contains incorrect intermediaries during the SSL Handshake. The server is sending it's own certificate and signing chain, but one or more intermediate certificates are incorrect.
A tool like OpenSSL can be used to validate whether the distinguished name (DN) of a certificate's issuer is equal the DN of the next certificate's subject, which must match for the chain to be valid.
openssl s_client –showcerts –connect hostname:port
where "hostname:port" is your endpoint that you want to connect.
The command will show the certificates as they are being sent.You can then check the list of certificates to verify if the certificate chain is properly installed.