Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

I am invoking an AWS API, I keep running into following error

Exception in thread "main" com.amazonaws.AmazonClientException: Unable to execute HTTP request: java.security.cert.CertificateException: No X509TrustManager implementation available
       at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:709)
       at com.amazonaws.http.AmazonHttpClient.doExecute(AmazonHttpClient.java:449)
       at com.amazonaws.http.AmazonHttpClient.executeWithTimer(AmazonHttpClient.java:411)
       at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:360)
       at com.amazonaws.services.kms.AWSKMSClient.doInvoke(AWSKMSClient.java:2723)
       at com.amazonaws.services.kms.AWSKMSClient.invoke(AWSKMSClient.java:2693)
       at com.amazonaws.services.kms.AWSKMSClient.generateDataKey(AWSKMSClient.java:1488)
       at com.infor.aws.KMSTest.createDEK(KMSTest.java:217)
       at com.infor.aws.KMSTest.main(KMSTest.java:144)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No X509TrustManager implementation available
       at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
       at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
       at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
       at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
       at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
       at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
       at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
       at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
       at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
       at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
       at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
       at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
       at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
       at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
       at com.amazonaws.http.conn.ssl.SdkTLSSocketFactory.connectSocket(SdkTLSSocketFactory.java:132)
       at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
       at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       at java.lang.reflect.Method.invoke(Method.java:498)
       at com.amazonaws.http.conn.ClientConnectionManagerFactory$Handler.invoke(ClientConnectionManagerFactory.java:76)
       at com.amazonaws.http.conn.$Proxy2.connect(Unknown Source)
       at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
       at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
       at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
       at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
       at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
       at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
       at com.amazonaws.http.apache.client.impl.SdkHttpClient.execute(SdkHttpClient.java:72)
       at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:854)
       at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:697)
       ... 8 more
Caused by: java.security.cert.CertificateException: No X509TrustManager implementation available
       at sun.security.ssl.DummyX509TrustManager.checkServerTrusted(SSLContextImpl.java:1119)
       at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
       ... 35 more
I have gone through multiple threads here on Stackoverflow and added all the required truststore, truststoretype system properties. This thread I have tried. But nothing is working. Has anyone come across this ? I am invoking it like below 
TrustManagerFactory tmf = TrustManagerFactory
                                   .getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyStore ks  = KeyStore.getInstance("BCFKS");
ks.load(new FileInputStream("<jre-home>\\\\lib\\\\security\\\\cacerts"), "changeit".toCharArray());
tmf.init(ks);
 // Get hold of the trust manager
X509TrustManager x509Tm = null;
for (TrustManager tm : tmf.getTrustManagers()) {
     if (tm instanceof X509TrustManager) {
          x509Tm = (X509TrustManager) tm;
          break;
                BCFKS for bouncy castle? If you want to use default type of ks,KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
– riversun
                Sep 27, 2016 at 3:03
                Try to print all the trust managers and see if you have more than one. The first one seems to be DummyX509TrustManager.
– sadiq.ali
                Sep 30, 2016 at 18:45
                Did you try to set provider to Security if it is null? And if it is null, then  Security.addProvider(new YourProvider());?
– Hrabosch
                Oct 3, 2016 at 11:01
In my case, I was invoking a SOAP service that needed SSL authentication before my truststore was built. So the service call didn't have a certificate or at least a fully formed one and that caused the service invocation to fail with this error.
When I moved the spring initialization first, then trust store building, and finally service call, that fixed it. To create a certificate, you can do the following:
KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(null, null);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
FileInputStream fis = null;
FileOutputStream fos = null;
fis = new FileInputStream(<your cert file>);
X509Certificate certificate = (X509Certificate)cf.generateCertificate(fis);
fis.close();
trustStore.setCertificateEntry(<cert name/alias>, certificate);
fos = new FileOutputStream(<path of the file to write to>);
// "changeit" is the default password that is used.
trustStore.store(fos, "changeit".toCharArray());
fos.close();
If it is PKCS12 that you want, replace it in the place of JKS.
        
Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.