【cas、tomcat】SunCertPathBuilderException: unable to find valid certification path to requested target

异常栈：

HTTP Status 500 - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

---

type Exception report

message javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

description The server encountered an internal error that prevented it from fulfilling this request.

exception

java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:407)
	org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:45)
	org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:200)
	org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:206)
	org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:161)
	org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:100)

root cause

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
	sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
	sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
	sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
	sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
	sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
	sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
	sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
	sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
	sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
	sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
	sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
	sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1301)
	sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
	org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:393)
	org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:45)
	org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:200)
	org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:206)
	org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:161)
	org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:100)

root cause

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
	sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
	sun.security.validator.Validator.validate(Validator.java:260)
	sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
	sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
	sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
	sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
	sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
	sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
	sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
	sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
	sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
	sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
	sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
	sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
	sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1301)
	sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
	org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:393)
	org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:45)
	org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:200)
	org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:206)
	org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:161)
	org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:100)

root cause

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
	java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
	sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
	sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
	sun.security.validator.Validator.validate(Validator.java:260)
	sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
	sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
	sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
	sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
	sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
	sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
	sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
	sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
	sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
	sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
	sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
	sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
	sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1301)
	sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
	org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:393)
	org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:45)
	org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:200)
	org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:206)
	org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:161)
	org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:100)

note The full stack trace of the root cause is available in the Apache Tomcat/7.0.65 logs.

---

Apache Tomcat/7.0.65

原因：

本地证书和server端证书不一致。

参考：http://stackoverflow.com/questions/7709540/how-to-solve-sun-security-provider-certpath-suncertpathbuilderexception

https://confluence.atlassian.com/display/KB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed

http://stackoverflow.com/questions/1828775/how-to-handle-invalid-ssl-certificates-with-apache-httpclient

解决：

将cas-server端证书，放到cas-client的jdk中。