For executing an HTTPS request with a Java software like Kettle / PDI you need to provide a certificate for the domain the request is going to address. A possible error message for a request to https://www.example.org using the “HTTP client” step from the “Lookup” section might look like this:

[...]

2013/07/15 11:45:22 - HTTP client.0 - ERROR (version 4.4.0-stable, build 17588 
  from 2012-11-21 16.02.21 by buildguy) : 
    Because of an error, this step can't continue: 

2013/07/15 11:45:22 - HTTP client.0 - ERROR (version 4.4.0-stable, build 17588 
  from 2012-11-21 16.02.21 by buildguy) : 
    Unable to get result from specified URL : https://www.example.org/?a=0

2013/07/15 11:45:22 - HTTP client.0 - ERROR (version 4.4.0-stable, build 17588 
  from 2012-11-21 16.02.21 by buildguy) : 
    sun.security.validator.ValidatorException: 
      PKIX path building failed: 
    sun.security.provider.certpath.SunCertPathBuilderException: 
      unable to find valid certification path to requested target

[...]

[...]

2013/07/15 11:45:22 - HTTP client.0 - ERROR (version 4.4.0-stable, build 17588

from 2012-11-21 16.02.21 by buildguy) :

Because of an error, this step can't continue:

2013/07/15 11:45:22 - HTTP client.0 - ERROR (version 4.4.0-stable, build 17588

from 2012-11-21 16.02.21 by buildguy) :

Unable to get result from specified URL : https://www.example.org/?a=0

2013/07/15 11:45:22 - HTTP client.0 - ERROR (version 4.4.0-stable, build 17588

from 2012-11-21 16.02.21 by buildguy) :

sun.security.validator.ValidatorException:

PKIX path building failed:

sun.security.provider.certpath.SunCertPathBuilderException:

unable to find valid certification path to requested target

[...]

I’ll show you in this article how to deal with this issue on Windows.

Obtain the certificate

The easiest option is to visit the domain (https://www.example.org) and click yourself through the dialogues starting from the little lock symbol next to the domain to the details page of the certificate in use. There you can export the certificate choosing X.509 (PEM) for the format. Store it f.x. on C: as ‘www.example.org.cert’.

Now let’s tell Java about it!

The certificate is added to the main keystore using the keytool program provided by your JRE – simply adjust the paths used in the following command so they fit your folder structure and execute it (with admin rights and without the newlines):

"C:\Program Files\Java\jre7\bin\keytool" 
  -import 
  -alias carpooling 
  -keystore "C:\Program Files\Java\jre7\lib\security\cacerts" 
  -file c:\www.example.org.cert

"C:\Program Files\Java\jre7\bin\keytool"

-import

-alias carpooling

-keystore "C:\Program Files\Java\jre7\lib\security\cacerts"

-file c:\www.example.org.cert

To keep unauthorized individuals from tampering with your main keystore you have to give the password which is “changeit” in the likely case you didn’t change it yet.

Restart Kettle and that’s it already.

joy of data

about turning data into insightful knowledge – for business and personal curiosity

SunCertPathBuilderException in PDI/Kettle

Obtain the certificate

Now let’s tell Java about it!