Question
I am trying to make an Apex callout from Salesforce to an external system that is hosted inside a corporate firewall. The firewall forwards the request to a load balancer, which then routes it to the appropriate web server. However, when I attempt the callout from Salesforce, I encounter the following error:
System.HttpRequest retrying request in response to handshake failure:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The same request works fine when made from SOAP UI, but it fails from Salesforce. My client has stated that they do not provide any certificates. Based on the logs, it seems like I need to install a certificate, but I am unsure how to proceed. What could be causing this issue, and how can I resolve it?
Answer
This error occurs because the SSL/TLS certificate used by the external system is either not properly configured or not trusted by Salesforce. The SunCertPathBuilderException means that Salesforce is unable to establish a trusted connection with the external server due to certificate validation issues.
Possible Causes and Solutions:
1. The Certificate is Not Issued by a Trusted Certificate Authority (CA)
Salesforce maintains a list of trusted CA certificates. If the certificate used by the external system is not issued by one of these trusted CAs, Salesforce will reject the connection.
Solution:
Check if the certificate used by the external system is issued by a recognized CA. If it is a self-signed certificate, it will not be trusted by Salesforce. The external system should obtain a certificate from a trusted CA like DigiCert, GlobalSign, or Let’s Encrypt.
You can check the list of Salesforce’s trusted CA certificates here:
Setup → Certificate and Key Management → Outbound Messaging SSL CA Certificates
2. Incomplete or Incorrect Certificate Chain
If the external system has not configured its SSL certificate chain correctly, Salesforce might not be able to validate it. This can happen if intermediate certificates are missing.
Solution:
To verify the certificate chain, test the external server’s SSL configuration using these tools:
- SSL Server Test (Qualys)
- DigiCert® SSL Installation Diagnostics Tool
If these tools indicate missing intermediate certificates, the external system must install the complete certificate chain, ensuring that the root certificate, intermediate certificates, and server certificate are all correctly configured.
3. Certificate Not Imported into Salesforce
If the external system is using a private CA, Salesforce will not trust it unless you manually import the necessary certificates.
Solution:
You can import the certificate in Salesforce by following these steps:
- Go to Setup → Certificate and Key Management.
- Click on Import from Keystore if you have a Java KeyStore (JKS) file.
- If you have a
.crtor.pemfile, go to Create CA-Signed Certificate and upload the certificate manually.
If you are using Named Credentials, make sure that the “Skip Server Certificate Validation” option is disabled, as enabling it will bypass SSL certificate checks and could cause security risks.
4. Firewall or Load Balancer Issues
Since the external system is behind a corporate firewall and uses a load balancer, it is possible that SSL termination is happening at the load balancer, but the correct certificates are not being passed to the web server.
Solution:
Check if SSL termination is happening at the load balancer. Ensure that the load balancer has the correct certificate installed and that it forwards the necessary certificates to the backend web servers.
5. Expired or Revoked Certificate
If the certificate used by the external system is expired or revoked, Salesforce will reject it.
Solution:
Verify the certificate’s expiration date using a browser or an SSL testing tool. If the certificate is expired, the external system must renew and replace it.
Final Steps to Fix the Issue:
- Test the SSL certificate using an online tool to check for issues.
- Ensure the external system uses a certificate from a trusted CA (not self-signed).
- Make sure the complete certificate chain is installed on the external server.
- Import the certificate into Salesforce if using a private CA.
- Verify that the firewall and load balancer are properly handling SSL certificates.
After implementing these fixes, try making the Apex callout again. If the issue persists, provide the results from the SSL diagnostic tools for further troubleshooting.
Kick Start Your Journey with Real-Time Project-Based Salesforce Learning
Our Salesforce course is meticulously designed to give you a deep understanding of the Salesforce platform, equipping you with the essential skills to excel in the CRM industry. The curriculum includes key modules such as Salesforce Admin, Developer, and AI, integrating theoretical knowledge with hands-on practice. Through real-world projects and interactive exercises, you’ll develop the expertise needed to tackle complex business challenges using Salesforce solutions. Our experienced instructors provide both technical proficiency and industry insights to help you thrive in the Salesforce ecosystem.
In addition to technical training, our Salesforce Training institutes in Ameerpet offers personalized mentorship, certification guidance, and interview preparation to enhance your career prospects. You’ll gain access to extensive study materials, practical project experience, and dedicated support throughout your journey. By the end of the course, you’ll be fully prepared for certification exams and equipped with real-world problem-solving skills that employers value. Start your Salesforce career today—enroll in a Free Demo now!
Leave a Reply
You must be logged in to post a comment.