SSL Handshake Exception – PKIX path building failed
I am writing this blog post for a scenario where you would be sending data from your SAP ECC/CRM/Backend system via SAP PI/PO to external system via HTTP_AAE receiver adapter(using HTTPS call) and using the checkbox : Use SSL and without using the client certificate(unticked in the receiver adapter configuration).
Earlier we had uploaded the Client certificate(X.509 format) in the ABAP PSE and the synchronous calls were working fine.
But all of a sudden, all messages started failing with the error : ERROR_SENDING_HTTP_REQUEST – Message Processing Failed . Reason : javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: Unable to find valid certification path to requested target.
So now, where do you check what has gone wrong suddenly when everything was working fine.
We ran a XPI trace and the trace gave us an information below:
Verify Local SSL Client Key Pair : Private Key View/Entry : TrustedCAs/xyzxyzxyz(your client certificate name) : ERROR : NOT A KEY-PAIR. Exception Occurred: Unable to recover the key.
With the above information you would think that the certificate already exists in the path and why is the system not able to transmit the data to destination.
After few hours of digging through the issue it was found that the certificate at the website/web server location got changed prior to expiry date.
So how did I find out. You can use the URL location provided to you for the HTTPS location and paste it in the Chrome Browser and press enter.
Now click on the lock icon before the URL. You will get a pop up.
Click on Certificate and then check the Certificate Serial number and validity dates(from and to) and match that against your uploaded certificate on the PI/PO server.
And there you have it. If you see a difference in the serial number and validity dates, reach back to your provider who gave you the HTTPS url and ask them to provide an updated certificate(X.509) to upload to PI server. Once you upload the updated certificate the connectivity is restored and all messages are transmitted successfully from SAP PI/PO to endpoint.
Reference to SAP NOTE :
2023989 – Unable to find valid certification path to requested target