Loading

Error: “Valid cert chain, but no trust certificate found!” and “Unable to find valid certification path to requested target” in Anypoint Code Builder (ACB)

Date de publication: May 12, 2025
Description

SYMPTOM

The following are two different types of SSLHandshakeException errors that are recorded in Anypoint Code Builder when either connecting to Anypoint Exchange, Design Center, Studio, Connector, Munit, Runtime update or deploying an application to Cloudhub.

javax.net.ssl.SSLHandshakeException: org.eclipse.ecf.internal.ssl.ECFCertificateException: Valid cert chain, but no trust certificate found!

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Note that the UI might show a generic unable to access, download or access denied error. The certificate error might be captured in the Anypoint Code Builder logs. For more information on how to view Anypoint Code Builder logs refer to the ACB troubleshooting docs.

 

CAUSE

The cause of these errors is usually related to proxies doing SSL inspection and replacing the SSL certificates, which are not known by your JVM.

 

Résolution

SOLUTION

Note If the error occurs only while you are using VPN, ensure that you are connected to the VPN before completing all of these steps.

 

Part 1: Download the certificates

  1. Create a folder to download/export the certificates to your computer 

  2. Open a browser and go to https://anypoint.mulesoft.com/login (and/or any other URLS that produce the error when accessing them).

  3. If using Chrome (similar steps should apply to other browsers):

    1. Click the lock icon in the browser address bar > Connection is secure > Certificate is valid > Details tab.

    2. You should see the certificates "tree". You will need to download all of them (each level) by clicking on it and then clicking on "Export"

  4. When downloading each certificate, save the certificate in the folder you created and rename the certificate matching the original name of the certificate as much as possible. Please delete any spaces. For example, if the certificate is called "Amazon Root CA 1," rename it to “amazon_root_ca_1.cer”.


Part 2: Create the keytool command to install the certificates in every Java Truststore.

1. Using a plain text editor (Notepad, Notepad++, Sublime, VS Code, etc), copy the base commands so you can edit them to match your paths for the Java Truststore and the certificates you downloaded. Notice you will need to run the command once per certificate, per Java Version.
Find below the base command for Mac and Windows. In both, you need to replace the “<certificate name.cer>” with the file name of the certificate downloaded, and the “<JDK_VERSION>” with the Java version packed with Anypoint Code Builder or the Project level JDK (might be more than one).

  1. The base command for Mac: Base JDK for Anypoint Code Builder: keytool -importcert -file <certificate name.cer> -keystore {user_home}/.vscode/extensions/salesforce.mule-dx-dependencies-{VERSION}/build/deps/{JDK_VERSION}/Contents/Home/lib/security/cacerts -alias “<certificate name.cer>” .

    Project level JDK for Anypoint Code Builder: keytool -importcert -file <certificate name.cer> -keystore {user_home}/AnypointCodeBuilder/java/{JDK_VERSION}/Contents/Home/lib/security/cacerts -alias “<certificate name.cer>”.


  2. The base command for Windows: Base JDK for Anypoint Code Builder: keytool -importcert -file <certificate name.cer> -keystore {user_home}/.vscode/extensions/salesforce.mule-dx-dependencies-{VERSION}/build/deps/{JDK_VERSION}/Contents/Home/lib/security/cacerts -alias “<certificate name.cer>“. 

    Project level JDK for Anypoint Code Builder: keytool -importcert -file <certificate name.cer> -keystore {user_home}/AnypointCodeBuilder/java/{JDK_VERSION}/Contents/Home/lib/security/cacerts -alias “<certificate name.cer>“.Note: If you don’t find the path mentioned above, it is possible that it might be the following instead “{user_home}/.../{JDK_VERSION}/lib/security/cacerts”

    If you still don’t find that exact path, please check which is the path where “security” directory is located, inside the “{user_home}/.../{JDK_VERSION}“, and/or contact support to help identify it.

2. To make it easier, list all the commands (the same command with different file names) for all the downloaded certificates.


Part 3: Install the certificate to Java trust store

  1. Open the Terminal on Mac or a command prompt on Windows as an administrator.
  2. Navigate to the directory where the files were downloaded.
  3. Paste the first keytool command from your list and execute it.
  4. Enter any 6 digit password, like “changeit” or "123456". Take note of this password since you will use the same on every execution of this command.
  5. Type “y” if it asks you if you trust the certificate.
  6. Follow all the previous steps again for each certificate command.
  7. Once all of the certificates were installed, restart Anypoint Code Builder.

The issue should now be solved.


NoteIf you enter a password for the first command and get the error "keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect," then this means you have already created a password. If you don't remember the password, delete the file "cacerts" from the "/.../security/" directory and try again.

Numéro d’article de la base de connaissances

004518469

 
Chargement
Salesforce Help | Article