Modify ↓
#24428 closed defect (worksforme)
Baden-Württemberg DOP20 aerial images do not load, unable to find valid certification path to requested target
| Reported by: | anonymous | Owned by: | team |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Core | Version: | latest |
| Keywords: | template_report | Cc: |
Description
The Baden-Württemberg DOP20 aerial images do not load in JOSM due to a certificate error, but they work fine in the browser.
WARNUNG: javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Ursache: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Ursache: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:376)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:319)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1212)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1155)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:447)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:199)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:482)
at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:141)
at org.openstreetmap.josm.tools.Http1Client.performConnection(Http1Client.java:78)
at org.openstreetmap.josm.tools.HttpClient.connect(HttpClient.java:162)
at org.openstreetmap.josm.tools.HttpClient.connect(HttpClient.java:136)
at org.openstreetmap.josm.tools.HttpClient.connect(HttpClient.java:125)
at org.openstreetmap.josm.data.cache.JCSCachedTileLoaderJob.loadObjectHttp(JCSCachedTileLoaderJob.java:362)
at org.openstreetmap.josm.data.cache.JCSCachedTileLoaderJob.loadObject(JCSCachedTileLoaderJob.java:309)
at org.openstreetmap.josm.data.cache.JCSCachedTileLoaderJob.run(JCSCachedTileLoaderJob.java:233)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1095)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:619)
at java.base/java.lang.Thread.run(Thread.java:1447)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
at java.base/sun.security.validator.Validator.validate(Validator.java:256)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:230)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1319)
... 24 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:295)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 29 more
Revision:19433 Identification: JOSM/1.5 (19433 de) Linux Ubuntu 25.04 Java version: 24.0.2+12-Ubuntu-0ubuntu125.04.1, Ubuntu, OpenJDK 64-Bit Server VM
Attachments (0)
Change History (5)
comment:2 by , 5 days ago
| Resolution: | → worksforme |
|---|---|
| Status: | new → closed |
Loads fine here on another Linux. As you're using Linux and on Linux Java uses systemwide installed Certificates I suggest to review your installed certificates or install the missing Sectigo certs.
comment:3 by , 4 days ago
By default, Java on Linux uses its own separate truststore located here at /usr/lib/jvm/java-24-openjdk-amd64/lib/security/cacerts rather than the system-wide truststore. The system-wide truststore on Ubuntu 25.04 contains the necessary Sectigo R46 certificate at /etc/ssl/certs/Sectigo_Public_Server_Authentication_Root_R46.pem, which is also successfully verified by curl https://owsproxy.lgl-bw.de. However, running
keytool -list -v -keystore /usr/lib/jvm/java-24-openjdk-amd64/lib/security/cacerts -storepass changeit | grep -i sectigo
shows that this certificate is missing from the Java truststore. After manually importing the certificate into the Java truststore using
keytool -importcert -trustcacerts -alias sectigo-root-r46 -file /etc/ssl/certs/Sectigo_Public_Server_Authentication_Root_R46.pem -keystore /usr/lib/jvm/java-24-openjdk-amd64/lib/security/cacerts -storepass changeit
JOSM can once again display the Baden-Württemberg DOP20 aerial images. The certificate for owsproxy.lgl-bw.de was likely renewed in early August.
comment:4 by , 4 days ago
Ah, so that differs between distributions. On openSUSE it is using system and usually certificate issues only affected Windows in bug reports.
comment:5 by , 3 days ago
FYI: The missing certificates have been added in several OpenJDK versions:
https://bugs.openjdk.org/browse/JDK-8359170
Note:
See TracTickets
for help on using tickets.
