MATLAB Answers

1

How can I configure MATLAB to allow access to self-signed HTTPS servers?

I am trying to access an HTTPS server with a self-signed certificate from MATLAB. I have tried various methods in various MATLAB releases:
>> urlread('https://self-signed.badssl.com/')
In all MATLAB releases throws:
Error using urlreadwrite (line 98)
Error downloading URL. Your network connection may be down or your proxy settings improperly configured.
Error in urlread (line 36)
[s,status] = urlreadwrite(mfilename,catchErrors,url,varargin{:});
And when trying to use pure Java:
>> u = java.net.URL('https://self-signed.badssl.com/');
>> conn = u.openConnection;
>> conn.connect
I receive:
Java exception occurred:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
(snip)
Further, webread:
>> webread('https://self-signed.badssl.com/')
In MATLAB releases prior to R2016b actually returns the data without any error or warning for this server:
ans =
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="shortcut icon" href="/icons/favicon-red.ico"/>
<link rel="apple-touch-icon" href="/icons/icon-red.png"/>
<title>self-signed.badssl.com</title>
<link rel="stylesheet" href="/style.css">
<style>body { background: red; }</style>
</head>
<body>
<div id="content">
<h1 style="font-size: 12vw;">
self-signed.<br>badssl.com
</h1>
</div>
</body>
</html>
But for another server:
>> webread('https://localhost/')
I receive:
Error using readContentFromWebService (line 45)
The server returned the message: "sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target" for URL, 'https://localhost/' (with HTTP response code unknown).
Error in webread (line 122)
[varargout{1:nargout}] = readContentFromWebService(connection, options);
And in MATLAB release R2016b:
>> webread('https://self-signed.badssl.com/')
Throws:
Error using webread (line 119)
Could not establish a secure connection to "self-signed.badssl.com". The reason is "error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed".
Check your certificate file (C:\MATLAB\R2016b\sys\certificates\ca\rootcerts.pem) for expired, missing or invalid certificates.
For both servers actually.

Tags

Products


Release

R2016b

7 Answers

Answer by MathWorks Support Team on 27 Sep 2016
Edited by MathWorks Support Team on 27 Sep 2016
 Accepted Answer

Before continuing please note that certificates are used for a reason and an untrusted certificate may indicate that communication with the website that you are trying to access may not be secure; you may even be accessing a different website than you might have expected (also see the further explanations in your webbrowser when trying to access the website).
 
MATLAB verifies HTTPS server certificates in a number of different ways.
 
WHEN YOU ARE WORKING WITH URLREAD/URLWRITE OR JAVA CLASSES DIRECTLY, the verification is basically performed by the JRE in MATLAB. The JRE uses a keystore with trusted certificate authorities to determine which certificates are trusted. I.e. it only accepts certificates which have been signed by a trusted authority and self-signed certificates are not accepted. If you would like to add a (self-signed) certificate or authority to this store, use the following steps:
 
1. Download the certificate using your web browser/operating system as CER-or CRT-file.
 
2. Use the attached MATLAB function to add this certificate as trusted to MATLAB's JRE's keystore. You will need to manually type "yes" when prompted to actually accept the certificate.
 
3. Restart MATLAB after importing the certificate into the keystore.
 
Note that the steps above require read/write permissions for the following file and the directory in which it is located:
fullfile(matlabroot,'sys','java','jre',computer('arch'),'jre','lib','security','cacerts')
This means that you may need to start MATLAB as Administrator/root depending on where MATLAB is installed and the permissions set on this location.
 
WHEN WORKING WITH WEBREAD/WEBWRITE/WEBSAVE, there are two major situations:
 
1. You are connecting to a server with basic or no further authentication whatsoever. In this case webread/webwrite/websave only performs its own verification. But again there two situations:
 
a. In releases prior to R2016b the verification is limited to only verifying that the URL you are accessing matches the CN in the certificate; there is no validation of the certificate's authenticity however. I.e. it accepts self-signed certificates as long as they are valid for the server in question.
 
b. In release R2016b it first verifies the authenticity of the certificates using a keystore similar to- but separate from- the keystore of the JRE mentioned above. I.e. it only accepts certificates which have been signed by a trusted authority. If this validation fails, you receive the error: ERROR: Error using webread (line 119) Could not establish a secure connection to "self-signed.badssl.com". The reason is "error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed". Check your certificate file (C:\MATLAB\R2016b\sys\certificates\ca\rootcerts.pem) for expired, missing or invalid certificates.
If you want to access a server with a self-signed certificate anyway you can either:
 
i) Add the certificate to the trusted keystore of webread/webwrite/webstore, see the documentation of weboptions to learn more about this:
 
 
ii) Disable the authenticity verification (i.e. fall back to the behavior in older releases), as noted on the documentation page mentioned above this can be accomplished by setting 'CertificateFilename' to empty: 
>> o = weboptions('CertificateFilename','');
>> webread('https://self-signed.badssl.com/',o)
 
2. You are connecting to a server with authentication other than basic (e.g. NTLM). In this case webread/webwrite/websave first performs the verification described under point 1 but then falls back to using a Java interface which actually also performs its own authentication. If this part fails, you receive the error:  ERROR: Error using readContentFromWebService (line 45) The server returned the message: "sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" for URL, 'https://localhost/' (with HTTP response code unknown). Error in webread (line 122) [varargout{1:nargout}] = readContentFromWebService(connection, options);
See the "WHEN YOU ARE WORKING WITH URLREAD/URLWRITE OR JAVA CLASSES DIRECTLY" section above on how to make this Java part trust your self-signed servers.
 
Note that this means that if you want to work with webread, a self-signed HTTPS server with NTLM authentication in MATLAB R2016b, you need to actually add the self-signed certificate in two places: the keystore specified by CertificateFilename (or set this to empty) and the JRE keystore.

  2 Comments

How to import the certificate as mentioned in the following part? 2. Use the attached MATLAB function to add this certificate as trusted to MATLAB's JRE's keystore. You will need to manually type "yes" when prompted to actually accept the certificate.

Sign in to comment.


Answer by Chirag Patel on 9 Mar 2017
Edited by Chirag Patel on 9 Mar 2017

Had same issue in MATLAB R2014b. I was getting error while executing >>webread(url,options)
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Solution: Step1: Go to Google Chrome: Access same URL: Download Certificate (call it myCert.cer)
Step2: Download importcert.m and execute >> importcert('myCert.cer')
Step3: Restart MATLAB

  2 Comments

Where can i find the certificate for windows 7?
Open Google Chrome. Click on Three Dots on Right-Top Most Corner, Select More Tools/Developer Tools --> Go to Security Tab --> Select View Certificate --> Go to Details Tab --> Click on Copy to File.

Sign in to comment.


Answer by Marc Jakobi on 28 May 2015
Edited by Marc Jakobi on 28 May 2015

Just in case someone - like I did - had the error message "access denied" while executing the importcert function:
You can also manually copy the cacert file and rename the copy to cacert.org. That way you don't have to go through the hassle of the permission changes.

  0 Comments

Sign in to comment.


Answer by Luv Gadhvi on 17 Mar 2017

Where can I find the certificate for windows 7?

  0 Comments

Sign in to comment.


Answer by Rainer Schneider on 24 Oct 2017

I have another issue with private signed certificates. In my case there is a mismatch of the domain name:
Error using webread (line 119)
The server certificate failed verification. The certificates's domain name "139.25.163.96" does not match the domain name of the host "127.0.0.1".
The suggested solution with importcert did not help in my case. An other hint how I can resolve this issue? In other HTTP libraries there is often the option to ignore the certificate verification completely.

  0 Comments

Sign in to comment.


Answer by Matthias Schaller on 15 Nov 2017

I had the same error while trying to install Matlab.
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I had to add the certificate (we use Cloud Websecurity with SSL Interception which needs a certificate) to the local certstore of the intergrated java applet of the installation routine.
The file is called cacerts and is located in the installation files R2015b_win64\sys\java\jre\win64\jre\lib\security
(Keytool.exe is located in …\R2015b_win64\sys\java\jre\win64\jre\bin)
Adding certificate:
  • Keytool -import -alias CERTNAME -file c:\certificate.crt(you are asked to define password)
and
  • Keytool -keystore ..\lib\security\cacerts -import -alias CERTNAME -file c:\certificate.crt(if password required, try 'changeit')

  0 Comments

Sign in to comment.


Answer by Jerome Blaha on 29 Apr 2018

The above script did not work for older Matlab installs, such as R2007b, as the directory structure is different for the JRE that comes with the older Matlab. Pasting something similar to below into a command prompt, allowed the certificate to be added. However there were new java issues afterward, such as a missing server hello. Hope this helps.
"C:\Program Files\MATLAB\R2007b\sys\java\jre\win64\jre1.6.0\bin\keytool.exe" -import -file C:\temp\My_Downloaded_Cert_from_Chrome.cer -keystore "C:\Program Files\MATLAB\R2007b\sys\java\jre\win64\jre1.6.0\lib\security\cacerts" -storepass changeit

  0 Comments

Sign in to comment.