PKIX path building failed remedy
Last updated: July 14, 2025
You may encounter the error code "PKIX path building failed" if you are using Liquibase MongoDB Pro with Amazon DocumentDB TLS/SSL Configuration alongside the AWS extension or the individual AWS Secrets Manager Extension. This is caused by a lack of required certificates in your custom Java Truststore. Follow the guide below to resolve the error.
Error
Unexpected error running Liquibase: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Remedy
Enter this command into the CLI to create a new combined truststore from your default Java CAcerts:
Linux syntax:
keytool -importkeystore -srckeystore "$JAVA_HOME/lib/security/cacerts" -srcstorepass changeit -destkeystore s3-docdb-combined-truststore.jks -deststorepass MyCombinedPassword -nopromptWindows syntax:
keytool -importkeystore -srckeystore "%JAVA_HOME%\lib\security\cacerts" -srcstorepass changeit -destkeystore s3-docdb-combined-truststore.jks -deststorepass MyCombinedPassword -nopromptCopy the new truststore to the same directory as your existing truststore used for Amazon DocumentDB TLS/SSL. In this example, we will copy the new
s3-docdb-combined-truststore.jksto the location ofrds-truststore.jks.Run this command to merge the contents of both truststores into one.
keytool -importkeystore -srckeystore rds-truststore.jks -srcstorepass SOME_PASSWORD -destkeystore s3-docdb-combined-truststore.jks -deststorepass MyCombinedPassword
Run this command to set the JAVA_OPTS Environment Variable for Liquibase to recognize the new truststore:
Linux syntax:
export JAVA_OPTS="-Djavax.net.ssl.trustStore=ABSOLUTE_PATH_TO_TRUSTSTORE/s3-docdb-combined-truststore.jks -Djavax.net.ssl.trustStorePassword=MyCombinedPassword"Windows syntax:
set JAVA_OPTS=-Djavax.net.ssl.trustStore=C:\path\to\s3-docdb-combined-truststore.jks -Djavax.net.ssl.trustStorePassword=MyCombinedPassword