none
Can't access Azure blob via Shared Access Signatures using HTTPS in Java SDK

    Question

  • I'm trying to access Azure blob via Shared Access Signatures using HTTPS in Java SDK and I got a SSLHandshakeException. I can successfully download the blob from browser via SAS, I can access the blob using HTTPS in .Net SDK, and I can access the blob using HTTP in Java SDK, so I guess it must be some certificate issues in Java. The following are the code and the error details:

    =====Code=====

    String blobSASUri = "https://mystorage.blob.core.chinacloudapi.cn/mycontainer/myfile.txt?sv=2015-12-11&sr=b&sig=8iAChUIIQl2n%2BwYZJeDDfiOvuojdDm2AdHb8K3BGDGA%3D&st=2016-09-01T01%3A30%3A11Z&se=2016-09-01T02%3A35%3A11Z&sp=r";
    CloudBlockBlob blob = new CloudBlockBlob(new URI(blobSASUri));

    boolean exists = blob.exists(); //error happens

    =====Error=====

    StorageException

    Message: The server encountered an unknown failure:

    ErrorCode: SERVICE_INTERNAL_ERROR

    Cause: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    • Edited by gnaysiuol Thursday, September 1, 2016 2:21 AM
    Thursday, September 1, 2016 2:05 AM

All replies

  • Greetings!

    Thank you for posting here! 

    We are currently researching on this concern; we will revert to you as soon as we have an answer. 

    Regards,
    Sumanth BM

    Thursday, September 1, 2016 5:12 PM
    Moderator
  • Hello,

    An engineer has provided the following response for your consideration:

    I believe the issue is that Java uses its own certificate store (not tied to Windows), and the new intermediate certs for blob storage endpoints are not in Java’s cert store.  There is a guide at https://blogs.oracle.com/jtc/entry/installing_trusted_certificates_into_a which walk through how to add a cert to the Java keystore.

    If it doesn’t help, kindly let us know, we are happy to assist you more.

    Regards,

    Vikranth S.

    Disclaimer:

    This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

    Friday, September 2, 2016 3:16 PM
    Moderator
  • Hello,

    An engineer has provided the following response for your consideration:

    I believe the issue is that Java uses its own certificate store (not tied to Windows), and the new intermediate certs for blob storage endpoints are not in Java’s cert store.  There is a guide at https://blogs.oracle.com/jtc/entry/installing_trusted_certificates_into_a which walk through how to add a cert to the Java keystore.

    If it doesn’t help, kindly let us know, we are happy to assist you more.

    Regards,

    Vikranth S.

    Disclaimer:

    This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

    Thanks a lot Vikranth. I'll try the the instruction and get back to you.

    But I have a further question regarding the intermediate certs for blob storage endpoints. Are the intermediate certs differing for different storage endpoint domains (as below)

    Global Default: core.windows.net

    China: core.chinacloudapi.cn

    or are they differing for different storage accounts? It confused me by the fact that I find a wildcard certificate of *.blob.core.windows.net which I guess is for the entire storage domain, and a certificate of myaccount.blob.core.chinacloudapi.cn specifically for my storage account in China Azure on my machine. If the certificate is for each different storage account, what's the best practise to manage the certificates on customer's machines when the storage account changed (application running on customer machines has no idea of the storage and assess the blob only by SAS)?

    Thanks, -Louis

    Saturday, September 3, 2016 5:20 AM
  • Hello,

    An engineer has provided the following response for your consideration:

    I believe the issue is that Java uses its own certificate store (not tied to Windows), and the new intermediate certs for blob storage endpoints are not in Java’s cert store.  There is a guide at https://blogs.oracle.com/jtc/entry/installing_trusted_certificates_into_a which walk through how to add a cert to the Java keystore.

    If it doesn’t help, kindly let us know, we are happy to assist you more.

    Regards,

    Vikranth S.

    Disclaimer:

    This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

    Well, I imported certificate for myaccount.blob.core.chinacloudapi.cn to Java keystore but it still didn't work. Would you please tell me which certificate to add and preferrably a detialed steps to do it?

    Thanks,

    -Louis

    Saturday, September 3, 2016 7:23 AM
  • Hi Louis,

    You need to import the intermediate Certificates; Don't import Leaf Certificates.

    Let's us know the status!

    Regards,
    Sumanth BM

    Wednesday, September 7, 2016 6:17 PM
    Moderator