Error getting layers: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

[anonymous]

Hi team,

When trying to pull imagery from:

​https://is.gd/2Ijw6x

JOSM cannot read. From past tickets with this error, it seems that you always claimed the error was not from JOSM.

The site is behind Cloudflare CDN and I do not think there is any issue with their SSL/TLS because access has no problem in every other browsers.

IBM Semeru JRE

Revision:18427
Build-Date:2022-04-05 19:23:14

Identification: JOSM/1.5 (18427 en) Windows 10 64-Bit
OS Build number: Windows 10 Pro 2009 (19044)
Memory Usage: 456 MB / 4078 MB (322 MB allocated, but free)
Java version: 17.0.2+8-LTS, Azul Systems, Inc., OpenJDK 64-Bit Server VM
Look and Feel: com.sun.java.swing.plaf.windows.WindowsLookAndFeel
Screen: \Display0 2560×1440 (scaling 1.00×1.00)
Maximum Screen Size: 2560×1440
Best cursor sizes: 16×16→32×32, 32×32→32×32
System property file.encoding: Cp1252
System property sun.jnu.encoding: Cp1252
Locale info: en_US
Numbers with default locale: 1234567890 -> 1234567890
VM arguments: [-Djpackage.app-version=1.5.18427, --add-modules=java.scripting,java.sql,javafx.controls,javafx.media,javafx.swing,javafx.web, --add-exports=java.base/sun.security.action=ALL-UNNAMED, --add-exports=java.desktop/com.sun.imageio.plugins.jpeg=ALL-UNNAMED, --add-exports=java.desktop/com.sun.imageio.spi=ALL-UNNAMED, --add-opens=java.base/java.lang=ALL-UNNAMED, --add-opens=java.base/java.nio=ALL-UNNAMED, --add-opens=java.base/jdk.internal.loader=ALL-UNNAMED, --add-opens=java.base/jdk.internal.ref=ALL-UNNAMED, --add-opens=java.desktop/javax.imageio.spi=ALL-UNNAMED, --add-opens=java.desktop/javax.swing.text.html=ALL-UNNAMED, --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED, -Djpackage.app-path=%UserProfile%\AppData\Local\JOSM\JOSM.exe]

Plugins:
+ ImportImagePlugin (35893)
+ PicLayer (1.0.2)
+ apache-commons (35924)
+ ejml (35924)
+ geotools (35959)
+ imagery_offset_db (35893)
+ jackson (35958)
+ jaxb (35952)
+ jts (35924)
+ log4j (35924)
+ opendata (35910)
+ reverter (35893)
+ turnrestrictions (35893)
+ utilsplugin2 (35951)

Last errors/warnings:
- 00000.336 W: extended font config - overriding 'filename.Myanmar_Text=mmrtext.ttf' with 'MMRTEXT.TTF'
- 00000.339 W: extended font config - overriding 'filename.Mongolian_Baiti=monbaiti.ttf' with 'MONBAITI.TTF'
- 00002.745 E: java.security.KeyStoreException: Windows-ROOT not found. Cause: java.security.NoSuchAlgorithmException: Windows-ROOT KeyStore not available

[taylor.smock]

Looking at ​https://www.ssllabs.com/ssltest/analyze.html?d=imagery.gis.in.gov, this appears to be another broken certificate chain issue.

See comment:14:ticket:21592 for a potentially insecure workaround.
See comment:20:ticket:21592 for why we will not be working around missing intermediate certificates.

[anonymous]

I'm not interested in any comments above.

You cannot tell me everyone on Cloudflare is having vulnerability by default.

[anonymous]

TBH, this is a very annoying issue from JOSM, not any other parties.

Intermediate certificate is not a must have. Qualys is a joke company been breached for several times.

[anonymous]

​https://docs.oracle.com/javase/8/docs/technotes/guides/security/certpath/CertPathProgGuide.html#AIA

"It is disabled by default for compatibility". It is just horrible.

[stoecker]

A broken chain is not a vulnerability but simply a misconfiguration. That browsers started to include each and every intermediate certificate to overcome the broken hosts was bad decision. Now misconfigured hosts are seen as valid because of this.

Anyway JOSM will not start to handle certificates lists on it own.

If you find JOSM so annoying simply don't use it. Ciao.

[anonymous]

Yes it sucks like shit.

Good luck with your crap!