Send error: unable to find valid certification path to requested target

[mmhere]

Anyone else seeing this? Just started today.

Last successful send was about six hours ago. Repeatedly fails now.

Error while checking account +NNNNNNNNNNN: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The above appears on stderrr.

Various version infos. What else would help?

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 10 (buster)
Release:        10
Codename:       buster

cat /etc/debian_version reveals:  10.11

$ java --version
openjdk 11.0.16 2022-07-19
OpenJDK Runtime Environment (build 11.0.16+8-post-Debian-1deb10u1)
OpenJDK 64-Bit Server VM (build 11.0.16+8-post-Debian-1deb10u1, mixed mode, sharing)

[Cempakers87]

I have same error as well

[mmhere]

So maybe it is an API change on the Signal servers?

[Cempakers87]

I don't know exactly what cause the problem. Until now still not working.

[AsamK]

The signal servers now seem use a new certificate, the latest signal-cli versions already have this certificate for some time.
You either need to update or manually replaced the certificate store in the lib (or signal-cli) .jar file with the one from the latest version.

[Janson247]

We had that problem aswell. It was due to ssl-inspection in our firewall. after excluding signal.org from the ssl-inspection it worked fine again.

[mmhere]

The signal servers now seem use a new certificate, the latest signal-cli versions already have this certificate for some time. You either need to update or manually replaced the certificate store in the lib (or signal-cli) .jar file with the one from the latest version.

Can anyone point to the .jar file in question, and the certificate that is involved?

[mmhere]

Two... hours .. later... (quoting Sponge Bob)

I had to update to Java 17 on Debian 10 (a bit of a faff), then was able to install the precompiled binaries from https://github.com/AsamK/signal-cli/issues/1067 (via the link https://github.com/AsamK/signal-cli/releases/download/v0.11.4/signal-cli-0.11.4-Linux.tar.gz deposited in /opt and symlinked in /usr/local/bin).

All working again.

This was useful: https://computingforgeeks.com/install-oracle-java-openjdk-on-debian-linux/ (to get Java 17 to install, I also had to apt-get install libc6-i386 libc6-x32). Typical Java pain.

[yjeanrenaud]

compiling again is not a very feasable option on a raspberry pi 3...
How may we replace the certificate?

[mmhere]

As an aside, when one of my raspi machines wants to send a message, it ssh's to a single Debian host to invoke signal-cli. Not sure if that idea might help.

In my case I have one central machine that runs signal-cli; other machines on the network ssh to it in order to send. Side effect (a plus or minus depending on your perspective) is that one "phone number" is registered for sending.

[mmhere]

Unless anyone else wants to keep this open, the issue is resolved for me by updating both Java (17) and signal-cli (0.11.4).

[yjeanrenaud]

well yes. I have to find a way to supply binaries for aarch64 though somehow.

[AsamK]

To manually replace the certificate store:

• Download the latest whisper.store file from https://github.com/AsamK/signal-cli/blob/master/lib/src/main/resources/org/asamk/signal/manager/config/whisper.store
• Update the lib.jar file in the signal-cli lib directory (with a zip editor), replace the org/asamk/signal/manager/config/whisper.store file with the one downloaded above.

[yjeanrenaud]

To manually replace the certificate store:

awesome, thank you!
I tried with version 0.6.11 (where I found the whisper.store in in signal-cli-0.6.11.jar under org/asamk/signal/manager/whisper.store) and and 0.9.0
but both versions fail:
version 0.6.11 complains:
Error loading state file: Incorrect file format: expected parameter axolotlStore not found
and 0.9.0 says:
Error loading state file: java.io.IOException: Wrong version of key store. (AssertionError)

[AsamK]

oh, then it seems it's not as simple as I thought ... The 0.6.11 error is unrelated and happens because the account file was upgraded by a newer signal-cli version.

I converted the store to BKS-V1, you could try 0.9.0 with that one: whisper.store.zip

[yjeanrenaud]

thank you! Same error. I also removed the ~/.local/share/signal-cli/ folders to get new account files. No luck either.
I used 0.9.0 because it's the latest I found with libsignal compiled for aarch64 or armv7.
my efforts compiling it via github workflow or on the machine did not succeed so far.

[AsamK]

Then i guess just replacing the certificate doesn't work...
For archlinux there's a build file, that also works on arm. Maybe it has some hints for required dependencies or steps you need to build libsignal-client: https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=libsignal-client

[yjeanrenaud]

I found out. Had a bad symlink. Got 0.8.4.1 now working, but slow as hell. but I can't register as 0.8.4.1 does not support captchas...