MATLAB Answers

How can I configure MATLAB to allow access to self-signed HTTPS servers?

579 views (last 30 days)
I am trying to access an HTTPS server with a self-signed certificate from MATLAB. I have tried various methods in various MATLAB releases:
>> urlread('https://self-signed.badssl.com/')
In all MATLAB releases throws:
Error using urlreadwrite (line 98)
Error downloading URL. Your network connection may be down or your proxy settings improperly configured.
Error in urlread (line 36)
[s,status] = urlreadwrite(mfilename,catchErrors,url,varargin{:});
And when trying to use pure Java:
>> u = java.net.URL('https://self-signed.badssl.com/');
>> conn = u.openConnection;
>> conn.connect
I receive:
Java exception occurred:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
(snip)
Further, webread:
>> webread('https://self-signed.badssl.com/')
In MATLAB releases prior to R2016b actually returns the data without any error or warning for this server:
ans =
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="shortcut icon" href="/icons/favicon-red.ico"/>
<link rel="apple-touch-icon" href="/icons/icon-red.png"/>
<title>self-signed.badssl.com</title>
<link rel="stylesheet" href="/style.css">
<style>body { background: red; }</style>
</head>
<body>
<div id="content">
<h1 style="font-size: 12vw;">
self-signed.<br>badssl.com
</h1>
</div>
</body>
</html>
But for another server:
>> webread('https://localhost/')
I receive:
Error using readContentFromWebService (line 45)
The server returned the message: "sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target" for URL, 'https://localhost/' (with HTTP response code unknown).
Error in webread (line 122)
[varargout{1:nargout}] = readContentFromWebService(connection, options);
And in MATLAB release R2016b:
>> webread('https://self-signed.badssl.com/')
Throws:
Error using webread (line 119)
Could not establish a secure connection to "self-signed.badssl.com". The reason is "error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed".
Check your certificate file (C:\MATLAB\R2016b\sys\certificates\ca\rootcerts.pem) for expired, missing or invalid certificates.
For both servers actually.

Accepted Answer

MathWorks Support Team
MathWorks Support Team on 19 Jun 2019
Edited: MathWorks Support Team on 19 Jun 2019
Before continuing please note that certificates are used for a reason and an untrusted certificate may indicate that communication with the website that you are trying to access may not be secure; you may even be accessing a different website than you might have expected (also see the further explanations in your webbrowser when trying to access the website).
MATLAB verifies HTTPS server certificates in a number of different ways.
WHEN YOU ARE WORKING WITH URLREAD/URLWRITE OR JAVA CLASSES DIRECTLY, the verification is basically performed by the JRE in MATLAB. The JRE uses a keystore with trusted certificate authorities to determine which certificates are trusted. I.e. it only accepts certificates which have been signed by a trusted authority and self-signed certificates are not accepted. If you would like to add a (self-signed) certificate or authority to this store, use the following steps:
1. Download the certificate using your web browser/operating system as CER-or CRT-file.
2. Use the attached MATLAB function to add this certificate as trusted to MATLAB's JRE's keystore. You will need to manually type "yes" when prompted to actually accept the certificate.
3. Restart MATLAB after importing the certificate into the keystore.
Note that the steps above require read/write permissions for the following file and the directory in which it is located:
fullfile(matlabroot,'sys','java','jre',computer('arch'),'jre','lib','security','cacerts')
This means that you may need to start MATLAB as Administrator/root depending on where MATLAB is installed and the permissions set on this location.
WHEN WORKING WITH WEBREAD/WEBWRITE/WEBSAVE, there are two major situations:
1. You are connecting to a server with basic or no further authentication whatsoever. In this case webread/webwrite/websave only performs its own verification. But again there two situations:
a. In releases prior to R2016b the verification is limited to only verifying that the URL you are accessing matches the CN in the certificate; there is no validation of the certificate's authenticity however. I.e. it accepts self-signed certificates as long as they are valid for the server in question.
b. In release R2016b it first verifies the authenticity of the certificates using a keystore similar to- but separate from- the keystore of the JRE mentioned above. I.e. it only accepts certificates which have been signed by a trusted authority. If this validation fails, you receive the error: ERROR: Error using webread (line 119) Could not establish a secure connection to "self-signed.badssl.com". The reason is "error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed". Check your certificate file (C:\MATLAB\R2016b\sys\certificates\ca\rootcerts.pem) for expired, missing or invalid certificates.
If you want to access a server with a self-signed certificate anyway you can either:
i) Add the certificate to the trusted keystore of webread/webwrite/webstore, see the documentation of weboptions to learn more about this:
ii) Disable the authenticity verification (i.e. fall back to the behavior in older releases), as noted on the documentation page mentioned above this can be accomplished by setting 'CertificateFilename' to empty:
>> o = weboptions('CertificateFilename','');
>> webread('https://self-signed.badssl.com/',o)
2. You are connecting to a server with authentication other than basic (e.g. NTLM). In this case webread/webwrite/websave first performs the verification described under point 1 but then falls back to using a Java interface which actually also performs its own authentication. If this part fails, you receive the error: ERROR: Error using readContentFromWebService (line 45) The server returned the message: "sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" for URL, 'https://localhost/' (with HTTP response code unknown). Error in webread (line 122) [varargout{1:nargout}] = readContentFromWebService(connection, options);
See the "WHEN YOU ARE WORKING WITH URLREAD/URLWRITE OR JAVA CLASSES DIRECTLY" section above on how to make this Java part trust your self-signed servers.
Note that this means that if you want to work with webread, a self-signed HTTPS server with NTLM authentication in MATLAB R2016b, you need to actually add the self-signed certificate in two places: the keystore specified by CertificateFilename (or set this to empty) and the JRE keystore.
Note: Above script did not work for older MATLAB installs, such as R2007b, as the directory structure is different for the JRE that comes with the older MATLAB. Pasting something similar to below into a command prompt, allowed the certificate to be added. However there were new java issues afterward, such as a missing server hello.
"C:\Program Files\MATLAB\R2007b\sys\java\jre\win64\jre1.6.0\bin\keytool.exe" -import -file C:\temp\My_Downloaded_Cert_from_Chrome.cer -keystore "C:\Program Files\MATLAB\R2007b\sys\java\jre\win64\jre1.6.0\lib\security\cacerts" -storepass changeit

  2 Comments

chuanyan WU
chuanyan WU on 14 Jun 2017
How to import the certificate as mentioned in the following part? 2. Use the attached MATLAB function to add this certificate as trusted to MATLAB's JRE's keystore. You will need to manually type "yes" when prompted to actually accept the certificate.

Sign in to comment.

More Answers (7)

Chirag Patel
Chirag Patel on 9 Mar 2017
Edited: Chirag Patel on 9 Mar 2017
Had same issue in MATLAB R2014b. I was getting error while executing >>webread(url,options)
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Solution: Step1: Go to Google Chrome: Access same URL: Download Certificate (call it myCert.cer)
Step2: Download importcert.m and execute >> importcert('myCert.cer')
Step3: Restart MATLAB

  2 Comments

Chirag Patel
Chirag Patel on 24 Mar 2017
Open Google Chrome. Click on Three Dots on Right-Top Most Corner, Select More Tools/Developer Tools --> Go to Security Tab --> Select View Certificate --> Go to Details Tab --> Click on Copy to File.

Sign in to comment.


Marc Jakobi
Marc Jakobi on 28 May 2015
Edited: Marc Jakobi on 28 May 2015
Just in case someone - like I did - had the error message "access denied" while executing the importcert function:
You can also manually copy the cacert file and rename the copy to cacert.org. That way you don't have to go through the hassle of the permission changes.

  1 Comment

Sign in to comment.


Luv Gadhvi
Luv Gadhvi on 17 Mar 2017
Where can I find the certificate for windows 7?

  0 Comments

Sign in to comment.


Rainer Schneider
Rainer Schneider on 24 Oct 2017
I have another issue with private signed certificates. In my case there is a mismatch of the domain name:
Error using webread (line 119)
The server certificate failed verification. The certificates's domain name "139.25.163.96" does not match the domain name of the host "127.0.0.1".
The suggested solution with importcert did not help in my case. An other hint how I can resolve this issue? In other HTTP libraries there is often the option to ignore the certificate verification completely.

  1 Comment

BA
BA on 28 Apr 2019
Have you found a solution for your problem? Do have the same issue.

Sign in to comment.


Matthias Schaller
Matthias Schaller on 15 Nov 2017
I had the same error while trying to install Matlab.
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I had to add the certificate (we use Cloud Websecurity with SSL Interception which needs a certificate) to the local certstore of the intergrated java applet of the installation routine.
The file is called cacerts and is located in the installation files R2015b_win64\sys\java\jre\win64\jre\lib\security
(Keytool.exe is located in …\R2015b_win64\sys\java\jre\win64\jre\bin)
Adding certificate:
  • Keytool -import -alias CERTNAME -file c:\certificate.crt(you are asked to define password)
and
  • Keytool -keystore ..\lib\security\cacerts -import -alias CERTNAME -file c:\certificate.crt(if password required, try 'changeit')

  0 Comments

Sign in to comment.


Jerome Blaha
Jerome Blaha on 29 Apr 2018
The above script did not work for older Matlab installs, such as R2007b, as the directory structure is different for the JRE that comes with the older Matlab. Pasting something similar to below into a command prompt, allowed the certificate to be added. However there were new java issues afterward, such as a missing server hello. Hope this helps.
"C:\Program Files\MATLAB\R2007b\sys\java\jre\win64\jre1.6.0\bin\keytool.exe" -import -file C:\temp\My_Downloaded_Cert_from_Chrome.cer -keystore "C:\Program Files\MATLAB\R2007b\sys\java\jre\win64\jre1.6.0\lib\security\cacerts" -storepass changeit

  0 Comments

Sign in to comment.


Sanjeev Sharma
Sanjeev Sharma on 4 Jun 2019
Edited: Sanjeev Sharma on 4 Jun 2019
I tried the methods in the above posts. Basically I copied the appropriate certificates to "C:\MATLAB\R2019a\sys\java\jre\win64\jre\lib\security\cacerts" and ''C:\MATLAB\R2019a\sys\certificates\ca\rootcerts.pem"
It made my 'urlread' and 'webread' functions to work. They were not working before.
However this was not my primary goal. My goal was to get the MATLAB Add-Ons manager working and install some package. The 'Get Add-Ons' tools is still complaining "Unable to open the requested feature. Check your internet connection and proxy settings in MATLAB Web preferences and then try starting the feature again." I already have proxy server set correctly. Is something else needed to use the Add-Ons tool?

  0 Comments

Sign in to comment.

Sign in to answer this question.

Tags

Products


Release

R2016b