Java "PKIX path building failed: unable to find valid certification path" in CI
The JVM could not build a trusted path from the server certificate to a root in its truststore (cacerts), and threw SunCertPathBuilderException. Java uses its own truststore, separate from the OS store, so a CA the system trusts is not automatically trusted by Java. On a CI runner this hits Maven, Gradle, and any HTTPS call through a proxy with an internal CA. Import that CA into the JVM truststore to fix it.
What this error means
A Maven or Gradle build, or a Java HTTPS call, fails with "PKIX path building failed: ... unable to find valid certification path to requested target".
javax.net.ssl.SSLHandshakeException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested targetCommon causes
The CA is not in the JVM truststore
Java validates against its own cacerts, not the OS store. A proxy or internal root added to the system is still unknown to the JVM.
The server sends an incomplete chain
The endpoint omits an intermediate, so the JVM cannot bridge the leaf to a trusted root.
How to fix it
Import the CA into the JVM truststore
- Obtain the issuing CA (proxy root or intermediate) as a PEM or DER file.
- Import it into the JDK
cacertswithkeytool. - Re-run the build so the JVM trusts the chain.
keytool -importcert -noprompt \
-alias corp-proxy \
-file corp-root.crt \
-keystore "$JAVA_HOME/lib/security/cacerts" \
-storepass changeitPoint the JVM at a custom truststore
Alternatively, build a dedicated truststore and pass it via system properties so you do not modify the shipped cacerts.
export JAVA_TOOL_OPTIONS="-Djavax.net.ssl.trustStore=/opt/certs/corp.jks \
-Djavax.net.ssl.trustStorePassword=changeit"How to prevent it
- Bake the internal or proxy CA into the JVM truststore on runner images.
- Serve full chains so intermediates are never missing.
- Track truststore updates when the CA rotates.