This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

PKIX path building failed: unable to find valid certification path to requested target

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PKIX path building failed: unable to find valid certification path to requested target

altamimi
L0 Member

‎03-06-2026 11:24 AM

hello guys ,

 i have a tomcat app linux server that connect to central bank endpoint using global protect client to establish the connection , the endpoint is using self signed cert and i get this error

1 REPLY 1

JayGolf
Community Team Member

‎03-07-2026 03:10 PM

Hi @altamimi ,

 

Let me know if im understanding your setup correctly: 

 

You have a Linux host running a Tomcat app and that host is connected using the GlobalProtect client. In the GP app, you then establish a VPN connection to a Portal/Gateway hosted on the Central Bank network.

 

Once connected, theTomcat app youre running locally on the linux host needs to connect over to an endpoint on the Central Bank side and that endpoint is using a self-signed cert. However, your connection fails. 

 

If you are getting "PKIX path building failed: unable to find valid certification path to requested target" error on your linux host, then Im suspecting this error is more related to the certificate trust rather than GP and the Security Policies itself. With that being said, what you can do is gather evidence on the Layer 3 and Layer 4 side. 

 

What I would do: 

 

Head to your traffic logs and grab the endpoint URL that the Tomcat app is calling. Resolve that hostname to an IP, then monitor traffic between the Linux host IP and that endpoint IP.

 

Initiate the call again while watching the traffic logs. Do you see any blocks or drops? Do you see traffic being allowed with bytes sent but none returned? That should help confirm whether the traffic is successfully traversing the firewall or if something in the policy path is interfering.

 

Now my personal .2: I'm assuming that because you are receiving an error response, the traffic is likely being allowed/routing correctly/successfully traveling through bank network. **However, it is still worth validating ALL traffic flows. It could also be that the application has a dependency other than 443. For example, some applications attempt to reach OCSP or CRL endpoints over port 80 to validate certificates. Be really attentive when monitoring the traffic during troubleshooting to make sure you understand ALL flows. 

 

In the event you find that your firewall is not blocking or dropping the connectivity, that would indicate the traffic is successfully traversing the firewall and the issue likely exists further up the stack.

 



LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes
  • 749 Views
  • 1 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks