Issue in callout to an external REST service over HTTPS from Salesforce

I have to make callout to an external REST service from salesforce. Service provider has shared an ‘HTTPS’ endpoint with me.

I am able to access the service by simply pasting service endpoint in browser, and it returns a JSON response. But when I try to invoke same endpoint from Salesforce it does not work and gives below error:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I contacted my service provider and they mentioned that the service is working in browser because the browser trusts my service provider’s certificate and similarly Salesforce should also trust the certificate.

I downloaded the certificate from the browser and tried to add it to callout as in Approach-1 and Approach-2 below. And also tried to add a salesforce self-signed certificate as in Approach-3 below. But every time I get the same error.

HttpRequest request = new HttpRequest();
String endpoint = 'https://serviceprovider.com/querystring';
request.setEndPoint(endpoint);

///Approach-1////
//String cert1 = 'certificate details';
//request.setClientCertificate(cert1,'password');

///Approach-2////
//String cert1 = 'certificate details';
//String cert2 = EncodingUtil.base64Encode(Blob.valueOf(cert1));
//request.setClientCertificate(cert2,'password');

///Approach-3////
request.setClientCertificateName('Testing');

request.setMethod('GET');
HttpResponse response = httpProtocol.send(request);
System.debug('######'+response.getBody());

Any help to resolve the issue will be appriciated.
Thanks in advance.

Answer

You may like to refer the previous discussion we had on this issue

Why do I get ‘PKIX path building failed’ exception with my callout?

This happened to me since site/service was not certified with an ssl certificate signed by some verified certificate authority (CA).

The following are the accepted SSL CA cerificates by salesforce

http://wiki.developerforce.com/page/Outbound_Messaging_SSL_CA_Certificates#thawteprimaryrootcag3

quick solution would be to ask the service provider to have valid SSL certifcate .

If the external system is Java client then refer the following discussion board to find resolution

http://boards.developerforce.com/t5/General-Development/PKIX-path-building-failed/td-p/128332

You may prefer advanced security using two way SSL and developer force documentation may assist you

http://wiki.developerforce.com/page/Making_Authenticated_Web_Service_Callouts_Using_Two-Way_SSL

Remember in two way SSL the client and server both need to have valid certificates.

Hence just making private certificate at your end may not solve the problem unless the server hosting the service has a valid SSL certificate.

Attribution
Source : Link , Question Author : V J , Answer Author : Community

Leave a Comment