javascript tag ssl certificat store

PKIX Path Building Failed When Accessing Jahia Public App Store

Question

I’m getting the following error when trying to access the Jahia Public App Store from my on-premise Jahia platform:
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
How can I identify and resolve this issue?

Answer

This error means that the JVM running Jahia does not trust the SSL certificate presented by the store (https://store.jahia.com). This is typically caused by a missing certificate authority (CA) in the JVM’s truststore.

Use Case

You’re using an on-premise Jahia environment (e.g., version 8.1.x with Java 8 or Java 11), and the connection to the Jahia Public App Store fails with a PKIX path building failed error.

This usually happens when the JVM does not recognize the certificate chain of the store, especially if the certificate has been issued by SSL.com or another CA not included in your current JVM truststore.

How to Diagnose

1. Check the Java version
Run:

java -version
  • For Java 8, make sure you’re using at least 1.8.0_362.
  • Java 11+ usually includes recent CAs by default.

2. Test the connection with SSLPoke

Use SSLPoke to verify whether your JVM trusts store.jahia.com:

java SSLPoke store.jahia.com 443

Expected outcome:

  • If Successfully connected then certificate is trusted.
  • If PKIX path building failed then certificate is not trusted by the JVM.
Be sure to run this using the same JVM that Jahia is using.

How to Fix It

Option 1: Import the store certificate into the JVM truststore

 1.    Extract the certificate:

echo | openssl s_client -connect store.jahia.com:443 | openssl x509 -outform DER > store.der

 2.    Import it into the truststore:

keytool -import -alias jahia-store -keystore $JAVA_HOME/lib/security/cacerts -file store.der

Default password for cacerts is changeit.

Option 2: Upgrade Java

If you’re using an outdated version of Java 8, upgrading to a more recent version often includes the necessary CAs (e.g., for SSL.com or Let’s Encrypt).

Notes

  • If your environment uses a custom truststore, make sure you import the certificate there, not in the default cacerts.
  • Antivirus or transparent proxy software may intercept SSL traffic and present an unknown certificate, which also requires manual truststore updates.