An error occurred: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
All the wile Visual Studio will be able to connect just fine.
This is almost certainly caused by the fact that your TFS server (or in our case our SSL appliance) isn't serving all SSL certificates in the certificate chain. The Visual Studio version of Team Explorer relies on Windows to verify the certificate chain and will find the missing link. Team Explorer Everywhere relies on Java to verify the certificate chain and it will not go out to download the intermediate certificate(s) on it's own.
You can see that the certificate chain isn't being offered by the webserver through this nifty website that checks your SSL configuration called SSL Labs:
As a temporary workaround you can instruct your local Java Runtime Environment to import the certificate of your TFS server and trust it as if it were a Certificate Authority. Though this works, it's a security risk and you need to apply this to every Java Runtime and SDK on every machine that wants to connect.
C:\Program Files\Java\jre7\bin>keytool -keystore ..\lib\security\cacerts -importcert -file your_servers_cert_file.cer -alias temp-tfs-cert Enter keystore password: changeit
Be sure to remove it when your server has been updated:
C:\Program Files\Java\jre7\bin>keytool -keystore ..\lib\security\cacerts -delete -alias temp-tfs-cert Enter keystore password: changeit
It is a better solution to actually have the underlying issue fixed. The fact that the certificate chain, as served by the server, is broken. After following all the steps on the TFS server and the SSL Appliance to make sure both serve the correct certificate chain, we can now connect Team Explorer Everywhere to TFS without any issues. After this change you should now see the following data on SSL Labs:
And Team Explorer Everywhere will be satisfied and connect to TFS without any further issues.
This fix applies to most Java based applications, so if you're getting a similar error message from Sonar or TeamCity, chances are high that you have one or more missing certificates in your Intermediate Certificate Store.
In order to debug these kinds of issues, one can start Eclipse from the commandline with extended debugging turned on like this:
C:\Program Files\eclipse>java -cp . "-Djavax.net.debug=ssl:record" -jar plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar > %temp%\eclipse_ssl.log