io.ipinfo.api.errors.ErrorResponseException: javax.net.ssl.SSLHandshakeException

[nikhilvs]

io.ipinfo.api.errors.ErrorResponseException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at io.ipinfo.api.request.BaseRequest.handleRequest(BaseRequest.java:35) ~[ipinfo-api-1.1.jar!/:?]
at io.ipinfo.api.request.IPRequest.handle(IPRequest.java:24) ~[ipinfo-api-1.1.jar!/:?]
at io.ipinfo.api.IPInfo.lookupIP(IPInfo.java:51) ~[ipinfo-api-1.1.jar!/:?]

Version : 1.1
Java version: 1.8
OS: Amazon linux

[przmv]

Hello, @nikhilvs ! Could you please provide a Minimal, Complete, and Verifiable example? Thanks!

[nikhilvs]

Using payed version of ipinfo/java to lookup ip.

java version "1.8.0_72"
Java(TM) SE Runtime Environment (build 1.8.0_72-b15)
Java HotSpot(TM) 64-Bit Server VM (build 25.72-b15, mixed mode)

BTW it is environment specific, cannot reproduce in local

IPInfo ipInfo = IPInfo.builder()
                .setCache(new SimpleCache(Duration.ofDays(7)))
                .setToken("XXXXXXXXX").build();
String testIp="103.245.157.2";
IPResponse response = ipInfo.lookupIP(testIp);

Generates following Error Stacktrace(i know it can be missing CA cert in keystore, but not seen issue for other HTTPS calls) :

    "Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
    "    sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)",
    "    sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)",
    "    java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)",
    "    sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)",
    "    sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)",
    "    sun.security.validator.Validator.validate(Validator.java:260)",
    "    sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)",
    "    sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)",
    "    sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)",
    "    sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)",
    "    sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)",
    "    sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)",
    "    sun.security.ssl.Handshaker.process_record(Handshaker.java:914)",
    "    sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)",
    "    sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)",
    "    sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)",
    "    sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)",
    "    okhttp3.internal.io.RealConnection.connectTls(RealConnection.java:239)",
    "    okhttp3.internal.io.RealConnection.establishProtocol(RealConnection.java:196)",
    "    okhttp3.internal.io.RealConnection.buildConnection(RealConnection.java:171)",
    "    okhttp3.internal.io.RealConnection.connect(RealConnection.java:111)",
    "    okhttp3.internal.http.StreamAllocation.findConnection(StreamAllocation.java:187)",
    "    okhttp3.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:123)",
    "    okhttp3.internal.http.StreamAllocation.newStream(StreamAllocation.java:93)",
    "    okhttp3.internal.http.HttpEngine.connect(HttpEngine.java:296)",
    "    okhttp3.internal.http.HttpEngine.sendRequest(HttpEngine.java:248)",
    "    okhttp3.RealCall.getResponse(RealCall.java:243)",
    "    okhttp3.RealCall$ApplicationInterceptorChain.proceed(RealCall.java:201)",
    "    okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:163)",
    "    okhttp3.RealCall.execute(RealCall.java:57)",
    "    io.ipinfo.api.request.BaseRequest.handleRequest(BaseRequest.java:33)",
    "    io.ipinfo.api.request.IPRequest.handle(IPRequest.java:24)",
    "    io.ipinfo.api.IPInfo.lookupIP(IPInfo.java:51)",

[aaomidi]

IPInfo uses Lets Encrypt, which might have issues with older systems. Try making a request to https://letsencrypt.org/ on the same local instance and see if you get the same error.

[nikhilvs]

Yes, the issue is because older version JDK 1.8 doesn't have CA certificate of lets encrypt.
I did add certificate of ipinfo.io to Keystore and it starts working.

But as a library provider, this is still a bug from your side.

[aaomidi]

(I don't work for ipinfo anymore, just wrote this library so I wanted to help :) )

[UmanShahzad]

According to https://letsencrypt.org/docs/certificate-compatibility/ this won't be an issue for Java 7 >= 7u111 and Java 8 >= 8u101, and presumably for all later major versions.

I think the best thing we can do is either require a JDK version that is >= those supported ranges, or document the incompatibility and guide the user on how to fix it locally. Personally I'm leaning on requiring it, but then only noting the incompatibility and letting the user figure out what they want to do.

[UmanShahzad]

ipinfo.io seems to no longer be using letsencrypt, so this issue should be solved.

[UmanShahzad]

@jd8171 for this issue, you don't need to do anything further.