Salesforce callouts and invalid SSL certs

If you’ve ever attempted to make an SSL callout to an external system from Salesforce, and the endpoint has an invalid, expired, or self-signed certificate, you’ve likely come across this very message:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This could commonly be an issue for a test environment, or a non enterprise setup, for instance.

There is no way to add a self-signed certificate to Salesforce’s keystore. The only option is to go with a widely recognized third party signed certificate. Fortunately, they’re rather inexpensive. You can get a RapidSSL cert from MyDomain for $29/year, or even a one month free trial works in this case. I was able to turn an expired self-signed cert into a valid one in less than one hour following their instructions.

Summary: if you’re getting this issue, get a new cert! It’s cheap and quick to configure.

More info can be found on this discussion board thread.

[Disclaimer: I am a former employee of mydomain.com. I don’t get paid for the referral, I just think it’s a great service.]

This entry was tagged , , . Bookmark the permalink.

5 Responses to Salesforce callouts and invalid SSL certs

  1. Pingback: Tweets that mention http://raydehler.com/cloud/clod/salesforce-callouts-and-invalid-ssl-certs.html -- Topsy.com

  2. David says:

    Thanks for the tip. There’s not a lot of info on callout problems for Salesforce.

    I’ve been struggling with this error over the last few days. And the one thing that’s not clear to me is how having a CA certificate for the calling Salesforce instance makes a difference. And the reason I say that is because I can make the same callout from my desktop using say, Python, and there’s no trouble. Is Salesforce in effect requiring itself to have a certificate in order to make a successful callout?

  3. Ray Dehler says:

    David – not sure, sorry.

  4. Kevin says:

    So please explain it to me. Once we buy the certificate from our CA provider, how do we implement it in Salesforce because I see that to import a certificate in salesforce we first have to download it, verify it then upload it. Secondly, once we buy the certificate and install it on the web service server, is that all that needs to happen? Is there anything pertaining to the certificate that I need to do from the salesforce end?

    Thanks!

Comments are closed.