Intermittent but regular certificate errors on calls to login.microsoftonline.com

Question

Our SAAS application allows users to authenticate via OIDC. In the last week, we have started to see calls to the well-known endpoint failing with the error:

com.microsoft.aad.msal4j.MsalClientException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This is occurring intermittently, but repeatedly. The users are able to refresh the page, and the call to login.microsoftonline.com may then succeed despite coming from the same source only seconds later.

No changes have been made to our systems or architecture at all in the leadup to these errors occurring. The servers are domain-joined and patched up to date.

Our machines are behind a load balancer, however the certificates are set to pass through. We have also replicated this on machines outside our network using newly-created trust stores with the latest Microsoft SSL certificates added manually. The calls fail intermittently, then succeed. There is no visible pattern.

Does anyone know if there are more widespread problems at the moment?

Answer 1

Hi Alex,

Thank you for posting your query on Microsoft Q&A. I am Saiteja from Q&A will be assisting you with your query.

Based on your query, I understand that you are facing the issue once the SSL certificate has added manually.

This error occurs when the certificate is not trusted or found. Recently we have seen such errors with SSL certificates which are having exception errors. These errors come up with connectivity or when the URLs are not reachable.

I would like to suggest you add the certificate to the trusted root certificates of the client device. You need to make sure to add this certificate to local machine--> Trusted root certificates. If you would like to do it for all the devices using GPO, you can follow this document.

As I mentioned if the URLs are not able to pass your proxy or load balancers, you need to make sure to whitelist the URL's and add them in the trusted sites of your browser. Please do follow the below steps:

1. Open the control panel. Click or double-click the Internet Options icon.
2. In the Internet Properties window, click the Security tab.
3. Select Trusted sites and click the Sites button. Type the address of the trusted website in the Add this website to field text box.
4. Click the Add button and click OK to save the addition to the site.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment"

Answer 2

I have seen this in my SaaS application, as well!

Its backend server uses offline OAuth permissions to make requests to MS Graph. Many of these have failed with the same root cause exception. In the last 7 days, this has happened 78 times. This is only a fraction of the total requests made during that time frame.

Recently (February 9) I did some digging and found out that the IP addresses that login.microsoftonline.com resolves to do not all use the same certificate. I could identify two sets of servers, each using a different certificate. While https://www.ssllabs.com/ssltest/ said both are valid and claims that the default Java trust stores would accept both, I suspect that one of them really is not.

Unfortunately, I ran out of time before I could investigate further.

More info: I am on Java 17.0.14+10 in a dockerized Alpine Linux. I don't use MSAL4J, but the underlying SunCertPathBuilderException is the same one.

Answer 3

Can you please list all the URL's/SSL's that need to be added?

We are getting the same error but we have added login.microsoftonline.com and m365.cloud.microsoft to our Application Trust Store.

Thanks,

Rob