Troubleshoot CertPathValidatorException error in Callouts

Publish Date: May 3, 2023

Description

When attempting to connect to a web server/URL endpoint, you may encounter the following error: 'PKIX path validation failed: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed'. Find out why, and how to fix it.

Resolution

The main reason for this error is that the endpoint is presenting a certificate chain that contains incorrect intermediaries during the SSL Handshake. The server is sending it's own certificate and signing chain, but one or more intermediate certificates are incorrect.

To fix the problem, the endpoint must present a chain where the next certificate's subject equals the current certificate's issuer.

A tool like OpenSSL can be used to validate whether the distinguished name (DN) of a certificate's issuer is equal the DN of the next certificate's subject, which must match for the chain to be valid.

If you want to see the certificate information by yourselves, use the below openssl command,

openssl s_client –showcerts –connect hostname:port

where "hostname:port" is your endpoint that you want to connect.

The command will show the certificates as they are being sent.You can then check the list of certificates to verify if the certificate chain is properly installed.

Please note that OpenSSL is a third party tool and does not come in scope of Salesforce support.

Knowledge Article Number

000385068

Did this article solve your issue?

Let us know so we can improve!

Troubleshoot CertPathValidatorException error in Callouts

General Information

Required Cookies

Functional Cookies

Advertising Cookies

General Information

Required Cookies

Functional Cookies

Advertising Cookies

Cookie List