SSL Handshake Error when Installing Portal from Axon Ivy Market

ikdb

Hi everyone,

I’m currently facing persistent SSL issues when trying to install the Axon Ivy Portal (12.0.7) or other market artifacts from within the Axon Ivy Designer.

Here’s what I’ve done so far — maybe someone can spot what’s still missing:

🔍 Environment

Axon Ivy Designer 12.0.7

Windows 10

Company network with proxy and SSL interception

Proxy host: proxy01.company.local:8080

❗ The Problem

Whenever I try to install the Portal, I get this error:

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target

🧰 Steps I Already Tried

Exported all related SSL certificates from my browser:

proxy-root.crt (company root CA)

DE51977X_PA_SUB.crt (intermediate)

DE51977XS10000.crt (root)

maven.axonivy.com

developer.axonivy.com

*.axonivy.com (wildcard)

Imported them all into the Designer’s JRE keystore using keytool:

I confirmed they are visible with:

keytool -list -v -keystore ... | find "axonivy"

→ All certificates are listed.

Restarted the Designer each time after import.

Also configured the proxy in the AxonIvyDesigner.ini:

-Dhttp.proxyHost=proxy01.company.local
-Dhttp.proxyPort=8080
-Dhttps.proxyHost=proxy01.company.local
-Dhttps.proxyPort=8080
-Dhttp.nonProxyHosts=localhost|127.0.0.1

✅ Current Situation

Maven builds from the command line now work successfully
(mvn clean install runs without PKIX errors).
However, the Axon Ivy Designer still throws SSL handshake errors when I try to install the Portal via
Help → Install Axon Ivy Add-ons.

💭 Question

Is there an additional trust store or specific configuration that the Designer uses (separate from its JRE/cacerts) for Market communication?
Or is there another known step required for environments with SSL interception (corporate proxies)?

Any hint would be appreciated — I’ve followed the Resolving SSL Certificate Issues
guide by Elio Di Puma step by step, but the Designer still doesn’t trust the Axon Ivy Market.

Thanks in advance 🙏

NqHoan(Octopus)

Thank @ikdb for reporting the issue!
I'm from the Axonivy market team. Could you help me verify the output of https://market.axonivy.com/marketplace-service/api/product-details/portal/12.0.9/json?designerVersion=12.0.10
Can your web browser display data from that link? The content must be like below:

One more thing: could you also access https://market.axonivy.com/portal, and then try to download any version?

ikdb

First of all, thank you very much for your time. Yes, I can download it through the browser; however, downloading it directly from the Axon Ivy Market does not work. The output from the link can be seen in the picture below.

mhoffmann

Given that you can define several JVMs in Eclipse to execute something, this might be related to a wrong setup of the designer itself.

The SSL cert used by Axon Ivy's maven server seem to be signed by Amazon RSA 2048 M03 / Amazon Root CA 1 - these are contained in the cacerts in every halfway recent common JDK.

Designer: jre\lib\security\cacerts

When you say "command line now works", what do you mean by it? That you cmd into your project folder and run the command from outside Axon Ivy? Then you're using your system's default java installation unless you modified the PATH variables before.

You can find your used command line Java installation by either looking at the variables in the GUI (Windows) or by using one of the following commands (Source @ stackoverflow.com):

Unix / Apple:

which java

Windows:

for %i in (java.exe) do @echo. %~$PATH:i

However, this will most likely tell you that it's using a different Java installation than Axon Ivy.

My steps to proceed would be:

Remove the manually added SSL certs for Axon Ivy's maven
Verify your designer's JRE:

Window > Preferences > Java > Installed JREs:

Try to reproduce the error from the command line by modifying your JAVA_HOME and PATH variable to point to Axon Ivy's JRE.

My guess is that the error masks that your proxy is not working properly within the designer. You're most likely getting this error because the proxy returns not the site you wanted to access, but rather something else (maybe some default error page / welcome page from the proxy itself). If this was ruled out and it's really related to the cacerts, either your installation got corrupted or something with the effectively used JRE is wrong.

In the end: I wouldn't bother with it if it's about the Market only, since there's no return on your time invested. Just download your dependencies via the Browser and import them manually or from existing workspaces. However, as soon as you try to access external resources, you might run into this issue again and therefore it might be worth solving as a general issue.

ikdb

mhoffmann Thank you! This helped a lot