Moneydance+ PKIX Path Building Failed
I transferred my Moneydance file from a home laptop to my work laptop as I am on the road. Both are Windows 10 PCs. The transfer was done using normal file copy from {User}\.moneydance\documents, not backup/restore. On both computers I had run the Moneydance 2024.2 installer which appeared to be successful.
I tried for the first time to sync with Moneydance+ today and it fails repeatedly with "javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
I have ruled out the VPN on the work computer (ZScaler) from causing the issue. My home laptop has NordVPN but worked correctly before I went on the road.
I attempted to re-sync Moneydance+, but it won't even launch the browser to start the process, giving the same PKIX error.
What are some possible causes? The error log is attached. Because it is December 31st, it's possible there is some sort of certificate expiration issue, maybe the issue will go away tomorrow. I ran the installer on the work laptop, so if there was some need for a certificate to be installed that was on the home computer, it should have been accomplished by the installer, no?
Thanks in advance for any help you can provide!
- errlog.txt 67.3 KB
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
1 Posted by kmenningen on 01 Jan, 2025 03:11 PM
Today 1/1/2025 I am receiving the same error for Moneydance+ (Plaid) accounts, but the old-style OFX accounts are able to download transactions.
2 Posted by kmenningen on 03 Jan, 2025 10:52 PM
Still having this issue 1/3/2025. Due to this certificate error, I'm also experiencing the same issue as this one, I can't install or see any extensions:
https://infinitekind.tenderapp.com/discussions/problems/101008-im-unable-to-download-any-extensions
Perhaps my work laptop is missing a certificate that isn't provided in the Moneydance installer? Are there any other log files I can provide?
3 Posted by kmenningen on 04 Jan, 2025 04:43 PM
Still having this issue 1/4/2025. However, I was able to install and run Moneydance normally on a remote desktop computer, including Moneydance+ downloads and extensions. Everything works on the desktop.
Therefore, it's something to do with the laptop, which is configured by my company's IT department. Is there a knowledge base article on the certificate configuration needed to obtain extensions and use Moneydance+?
Support Staff 4 Posted by Maddy on 05 Jan, 2025 05:07 PM
Hi ,
We are sorry to hear about the problem you have encountered.
Would you be available for a screen-sharing session?
This will allow us to login into your system, to see what is happening. We can communicate in real-time and hopefully this will help us get to the bottom of what might be causing the problem.
If you are happy to do this, please choose a suitable time slot using this link.
Thank you
--
Maddy, Infinite Kind Support
5 Posted by kmenningen on 06 Jan, 2025 02:58 PM
Thanks, Maddy, but no I'm not available for a screen-sharing session. Only my IT department is allowed to do that on my work computers.
The PKIX path issue basically has to do with a certificate chain that begins with one or more the certificate in Moneydance in the "cacerts" file in folder jre/lib/security. The chain then progresses towards the root certificate, but there's a missing link in the chain on my work laptop that exists on my work desktop (which works fine). All we need to do (I think) is identify which certificate is missing from the laptop, and I should be able to transfer that certificate from the desktop to the laptop. To identify that missing link, we just need to know what certificates are contained in the "cacerts" file, and/or which certificate is used for both Moneydance+ and the exports.
Support Staff 6 Posted by Maddy on 06 Jan, 2025 03:23 PM
Usually the error you have reported can be caused by a number of reasons, including a very intrusive corporate VPN+proxy or malware, hence my suggestion to involve the lead developer who could guide you trough in real time and provide further insight.
--
Maddy, Infinite Kind Support
Support Staff 7 Posted by Sean Reilly on 07 Jan, 2025 09:47 AM
Hi Kevin,
It's great to hear from you and I hope you're doing well!
The certificates are all fine, and working normally, as are the root and intermediate certificates that are bundled with the Moneydance JVM. Usually in these cases there is something in the system that is blocking or redirecting http/s connections, and I expect that with your IT-managed laptop that is probably the case.
The first thing to check is whether you can load https://mdplus.infinitekind.com/tik/me using your web browser. If that works, then the server certificates are all fine (they are). Secondly, if you can, try using 'curl' or 'wget' commands to retrieve that same URL. My understanding is that those commands don't use the system proxy settings and so should have a similar error as moneydance when trying to retrieve that URL. If that's the case, then the problem is definitely that moneydance is not connecting through your proxy (or at least not correctly).
Can you let me know the results?
Also, I see your recent subscription was renewed or started in late November, which I've extended for another year (until late November 2026). Sorry about the trouble with Moneydance+!
Thanks,
Sean
--
Sean Reilly
Developer, The Infinite Kind
https://infinitekind.com
8 Posted by kmenningen on 07 Jan, 2025 02:06 PM
Hi Sean & Maddy,
Yes, I'm doing well. My goal in 2025 is to switch my home computer to Linux to avoid Windows 11 (definitely not going there!), thus I'm back in the Moneydance camp!
> The first thing to check is whether you can load https://mdplus.infinitekind.com/tik/me using your web browser.
I can, see the attached file Mdplus_page.png.
> Secondly, if you can, try using 'curl' or 'wget' commands to retrieve that same URL.
> Can you let me know the results?
I can, see attached curl_command_line.txt and curl_output.txt. No errors.
I retested MD+ account downloads and listing the extensions on the laptop, and it still fails. So, the certificates are fine, and curl seems to work. The VPN software used on the laptop is ZScaler, and I know that it uses NAT as part of its strategy. That said, I turned it off and rebooted, verified it was still off, then tried again in MD and it fails. So, there's something about ZScaler or Group Policy that's preventing MD to work.
At this point I'm ready to give up and resign myself to using remote desktop to use MD and sync the backup files to the laptop. It's clumsy and there's an extra point of failure if I can't reach the desktop, but I only have 8 days left on the road. If you would like to pursue additional testing in order to improve the support knowledge base about ZScaler, I'm happy to assist.
> which I've extended for another year (until late November 2026)
Thanks very much, Sean! I appreciate that. :)
Best regards,
--Kevin
Support Staff 9 Posted by Maddy on 07 Jan, 2025 02:49 PM
Can you verify that the system clock on your computer is updated and time zone is correct?
--
Maddy, Infinite Kind Support
10 Posted by kmenningen on 07 Jan, 2025 04:10 PM
Yes, verified. I'm on the road but stayed in the same time zone. Time sync source is my company's domain controller.
11 Posted by kmenningen on 07 Jan, 2025 05:12 PM
I've discovered that I can't really turn ZScaler VPN off. I can turn off the VPN part of it and no longer access company servers, but the ZScaler services are still running in the background and can't be stopped. I tried several approaches that all failed. One or more of these ZScaler services are interfering with the web queries in MD and causing the PKIX path error.
I think we can conclude that Moneydance+ and extensions are incompatible with ZScaler and if you can't stop ZScaler services, you'll need to find a different computer to run Moneydance on.
Support Staff 12 Posted by Sean Reilly on 07 Jan, 2025 05:20 PM
Hi Kevin,
One more question, that might help us get closer to a solution. Can you enable syncing using the "Dropbox Connection" method? That uses Moneydance's custom built-in HTTP stack which observes the proxy settings from the moneydance preferences. Moneydance+ uses the Square okhttp library and so possibly doesn't use the system proxy automatically, but I could adapt it so that it does.
Thanks,
Sean
--
Sean Reilly
Developer, The Infinite Kind
https://infinitekind.com
13 Posted by kmenningen on 09 Jan, 2025 01:34 PM
Hi Sean & Maddy,
The Dropbox sync connection also fails with the PKIX error, please see attached file "2025-01-09_DropboxConnectionSetup.txt" as soon as I click OK in the dialog that requests the key on the Dropbox authorization website.
I'm happy to continue troubleshooting if you have additional things to try.
Best regards,
--Kevin