SSL handshake exception

Help
1

I am using java with maven packages
jwks-rsa 0.9.0
java-jwt 3.8.3

jave Eclipse
execution environment javaSE-1.8(jdk1.8.0_111)

My organization has Auth0 services implemented on different environments from Liberty server to IBM Websphere. Each is on its own server. Recently, when attempting to verify our tokens via a method (listed below), we are getting the below error on all environments. We have added our certificates (months ago), and when attempting to add them now it says they already exist, so I’m sure that the certificates have been added. Has Auth0 recently changed its policies on certificates? We are not using SSL and the below error is even happening on local host. Below the error is the method that is throwing the exception called “IsValidToken()”.
The error occurs on the line

Jwk jwk = provider.get(kid);

Error: Cannot obtain jwks from url https://dev-q7dj12vg.auth0.com/.well-known/jwks.json.

Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

public static String IsValidToken(String token) throws Exception
{
	boolean isValid = false;
	
	try
	{
		//deconstruct the token to get the indivisual parts.
		DecodedJWT jwt = JWT.decode(StripBearerFromToken(token));
		
		//set the KeyID
		String kid = jwt.getKeyId();
		
		//get the provider from the issuer field
		JwkProvider provider = new UrlJwkProvider(jwt.getIssuer());
		Jwk jwk = provider.get(kid);
		
		//creaste a public key using the publicKey
		RSAPublicKey publicKey = (RSAPublicKey) jwk.getPublicKey();
		
		//create an algorithm from the public key.
		Algorithm algorithm = Algorithm.RSA256(publicKey, null);
		
		//Create a verifier to check the integrity of the token
		JWTVerifier verifier = JWT.require(algorithm)
				.withIssuer(jwt.getIssuer())
				.build();
		
		//if the token is good it will return an object of type DecodedJWT.
		DecodedJWT jwkD = verifier.verify(StripBearerFromToken(token));
		if(jwkD != null)
		{
			return "";
		}else
		{
			throw new Exception("Error: Token is invalid. Returned Null from verifier.");
		}
	}
	catch(JWTVerificationException exception)
	{
		//if an error occures return the error.
		return "Error: " + exception.getMessage();
	}
}
2

Hello CCGUser,

Were you able to resolve this issue? Authentication used to work fine but suddenly it stopped working 2 days ago and I am unable to figure out what happened.

3

Hi CCGUser and kashif.khan

Did either of you have any luck fixing this issue?

I have the same issue. Everything was working fine, but now I’m suddenly unable to obtain jwks from the .well-known/jwks.json URL. Strangely enough the request works fine over http instead of https. Perhaps some sort of certificate issue?

5

So after a bit of testing I’ve narrowed the issue down to a problem with the SSL cert. This fails (Python):

jsonurl = urlopen(f"https://{os.environ['AUTH0_DOMAIN']}/.well-known/jwks.json")

But when I try the same call without verifying the SSL certificate it succeeds:

import ssl
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
jsonurl = urlopen(f"https://{os.environ['AUTH0_DOMAIN']}/.well-known/jwks.json", context=ctx)
6

Does this get solved