Category Archives: Mac

SSLHandshakeException: unable to find valid certification path to requested target

You are trying to connect to a server over SSL and you get the following error:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:198)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1967)
...

This means that your computer does not trust the remote computer. The remote computer serves a certificate that your computer is unable to find a trusted source for. Could be that the remote certificate is selfsigned or uses a CA that you computer does not know

One solution: Add the remote computers certificate into your truststore:
1. Get the remote computer certificate using OpenSSL:

openssl s_client -connect <remote computer adress> <remote computer port>

This will present the remote computers certificate (BEGIN CERTIFICATE to END CERTIFICATE). Copy this to a file (Preserve BEGIN and END rows)
2. Add the remote certificate to your java truststore

sudo keytool -import -alias remote_computer_cert -file <remote computer cert> -keystore /Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/jre/lib/security/cacerts

3. Done – connect again – the error should be gone

Tested on OSX v10.15.6, OpenSSL 2.8.3 (LibreSSL) and Java 1.8.0_252 (OpenJDK)

Yubikey: Manual pair a PIV Yubikey with OSX

Every now and then things does not work as intended. For example: when putting a new Yubikey that has certificates, PIN and PUK installed into a slot on your Mac, a pairing dialog should appear. This does not always happen and in this case we need to do a “manual pairing”.
I will here explain how:

1. Insert the Yubikey into the Mac
2. Open a terminal
3. Run the sc_auth command below

sc_auth identities

This will output something like this:

SmartCard: com.apple.pivtoken:2B20E9654D142033695ADEC481CFD11EBA45EC00
Unpaired identities:
C28BE4EC86FAAC4B5EFE825947240B2CE03BA4F2       Certificate For PIV Authentication (<username>)

4. Now run the following comman to start the pairing process

sudo sc_auth pair -f -u<username> -hC28BE4EC86FAAC4B5EFE825947240B2CE03BA4F2

NOTE:
<username> – is the username of the identity that you want to pair with your Yubikey
“C28BE4EC86FAAC4B5EFE825947240B2CE03BA4F2” – is the Yubikey hash for the identity above (the CN of the authentication certificate)

The process will now begin with asking for the Yubikey PIN

5. If all goes well you should now see a message “Pairing Successful”

You are now ready to use your Yubikey on your Mac

Tested on OSX Catalina 10.15.4 and Yubikey firmware 4.4.5

How to open multiple port forwards with one line using OpenSSH

The solution to this is so simple that I’m probably going to forget it in a couple of days 😉 Going to put it here for me to find next time I forget

Here it is:

ssh -N -L 12345:localhost:12345 -L 23456:localhost:23456 -L 34567:localhost:34567 user@server

This will setup 3 port forwards on localhost from server. Need more ports? just add another -L section and you are set

Tested on OpenSSH 7.8p1 and LibreSSL 2.6.2