Apex Callout Fails Due to SunCertPathBuilderException?

Apex Callout Fails Due to SunCertPathBuilderException?

On March 23, 2025, Posted by , In Apex,Salesforce Technical Questions, With Comments Off on Apex Callout Fails Due to SunCertPathBuilderException?
Apex Callout Fails Due to SunCertPathBuilderException

Question

I am trying to make an Apex callout from Salesforce to an external system hosted inside a corporate firewall. The firewall forwards the request to a load balancer, which then routes it to the appropriate web server.

While the callout works correctly when tested from SOAP UI, it fails in Salesforce with the following exception:

System.HttpRequest[Endpoint=https://someURL/servlet/request, Method=POST]
CALLOUT_REQUEST|System.HttpRequest retrying request in response to handshake failure: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
EXCEPTION_THROWN|System.CalloutException: sun.security.validator.ValidatorException: 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target

The client has stated that they do not provide any certificates, so I am unsure how to resolve this issue. From the logs, it appears that a certificate installation may be required. How can I fix this?

Answer

This error occurs when Salesforce cannot establish a secure connection with the target server due to an issue with its SSL/TLS certificate. There are several possible reasons and solutions:

CRS Info Solutions offers expert Salesforce training with real-world projects, certification support, and career-focused guidance—enroll for a free demo today!!

1. Check the Server’s SSL Configuration

Salesforce requires a valid SSL/TLS certificate to establish a secure connection with external systems. If the server’s SSL configuration is incorrect or outdated, the callout may fail due to certificate validation errors. Testing the server’s SSL setup can help identify issues such as expired certificates, missing intermediate certificates, or unsupported encryption protocols.

2. Untrusted or Self-Signed Certificate

Salesforce only trusts certificates issued by recognized Certificate Authorities (CAs). If the external system uses a self-signed certificate or one from an untrusted CA, Salesforce will reject the connection, resulting in the SunCertPathBuilderException error. To fix this, the external system should obtain and install a certificate from a trusted CA, or you may need to manually upload the certificate into Salesforce under Certificate and Key Management.

3. Missing Certificate in Salesforce

If the external system’s certificate is valid but not recognized by Salesforce, you may need to import it into Salesforce as a CA-signed certificate:

Obtain the certificate file (.crt or .cer) from the external system and ensure it includes the full certificate chain. Then, navigate to Setup > Certificate and Key Management in Salesforce and upload it under CA-Signed Certificates. This allows Salesforce to recognize and trust the external system’s certificate, resolving the SunCertPathBuilderException error.

4. Intermediate Certificate Issues

If the external system’s SSL certificate chain is incomplete, Salesforce may be unable to validate the connection. This typically happens when intermediate certificates are missing, even if the root certificate is trusted. To fix this, ensure the server provides the full certificate chain, including any required intermediate certificates.

5. Use a Named Credential

A Named Credential in Salesforce simplifies authentication and certificate management for callouts by securely storing endpoint details, authentication settings, and certificates. Instead of manually handling certificates in Apex, you can configure a Named Credential with mutual authentication, OAuth, or basic authentication. This ensures secure communication while automatically managing certificate validation, reducing the chances of SSL-related errors like SunCertPathBuilderException.

If none of these solutions work, request the external system to provide the correct certificate or verify if additional firewall settings are blocking Salesforce from accessing the service.

Accelerate Your Career with Salesforce Training in Nagpur

Unlock the doors to a rewarding career with our Salesforce training in Nagpur! Our program is carefully crafted to provide you with expert-level certification guidance, in-depth interview preparation, and a comprehensive curriculum covering essential tracks like Admin, Developer, and AI. With detailed class notes and practical hands-on experience, you’ll gain the skills necessary to excel within the Salesforce ecosystem.

Our Salesforce training offers more than just theoretical knowledge. Experience personalized mentorship, industry-focused projects, and expert-led sessions to prepare you for real-world challenges. Whether you’re just starting or looking to upskill, our program ensures you’re equipped to thrive in a competitive job market.

Join us today and take the first step towards mastering Salesforce and shaping your professional future!!!

Related Posts:

How to generate JSON for a APEX REST Post callout in Salesforce?
Top Salesforce Apex Interview Questions [2025]

Comments are closed.