PKIX path building failed: unable to find valid certification path to requested target

altamimi — Fri, 06 Mar 2026 19:24:26 GMT

hello guys ,

i have a tomcat app linux server that connect to central bank endpoint using global protect client to establish the connection , the endpoint is using self signed cert and i get this error

Re: PKIX path building failed: unable to find valid certification path to requested target

JayGolf — Sat, 07 Mar 2026 23:10:29 GMT

Hi @altamimi ,

Let me know if im understanding your setup correctly:

You have a Linux host running a Tomcat app and that host is connected using the GlobalProtect client. In the GP app, you then establish a VPN connection to a Portal/Gateway hosted on the Central Bank network.

Once connected, theTomcat app youre running locally on the linux host needs to connect over to an endpoint on the Central Bank side and that endpoint is using a self-signed cert. However, your connection fails.

If you are getting "PKIX path building failed: unable to find valid certification path to requested target" error on your linux host, then Im suspecting this error is more related to the certificate trust rather than GP and the Security Policies itself. With that being said, what you can do is gather evidence on the Layer 3 and Layer 4 side.

What I would do:

Head to your traffic logs and grab the endpoint URL that the Tomcat app is calling. Resolve that hostname to an IP, then monitor traffic between the Linux host IP and that endpoint IP.

Initiate the call again while watching the traffic logs. Do you see any blocks or drops? Do you see traffic being allowed with bytes sent but none returned? That should help confirm whether the traffic is successfully traversing the firewall or if something in the policy path is interfering.

Now my personal .2: I'm assuming that because you are receiving an error response, the traffic is likely being allowed/routing correctly/successfully traveling through bank network. **However, it is still worth validating ALL traffic flows. It could also be that the application has a dependency other than 443. For example, some applications attempt to reach OCSP or CRL endpoints over port 80 to validate certificates. Be really attentive when monitoring the traffic during troubleshooting to make sure you understand ALL flows.

In the event you find that your firewall is not blocking or dropping the connectivity, that would indicate the traffic is successfully traversing the firewall and the issue likely exists further up the stack.

topic PKIX path building failed: unable to find valid certification path to requested target in General Topics

PKIX path building failed: unable to find valid certification path to requested target

Re: PKIX path building failed: unable to find valid certification path to requested target