ServerHello Handshake message doesn't contain key exchange

I'm working on a microservice in Java, that has to send an HTTPS GET request to some Frontend server in our environment. The certificate that we are using is self-signed and is in the trust store of the microservice.

I'm using CloseableHttpClient of Apache that is configured with that trust store and all the necessary configurations.
However, when trying to send the GET request I get an exception of: "PKIX path building failed” and “unable to find valid certification path to requested target”. (I've search that error and already saw related solutions but they are not relevant to my problem, please continue reading)

I tried to run it with the debug flag of -Djavax.net.debug=all and I've noticed that in the description of "Consuming ServerHello handshake message" there's no key exchange attribute and details.

The problem is probably not related to the client, because when sending HTTP GET requests to a different endpoint it works, and I do see the key exchange as expected...

I appreciate your help.

> "PKIX path building failed” and “unable to find valid certification path to requested target”.

These messages mean that the client is unable to validate the servers certificate since no trusted CA is found locally. At least until TLS 1.2 the client does not start the key exchange until the server certificate is received. This means that if certificate validation fails at this stage no key exchange will be attempted.

> The problem is probably not related to the client, because when sending HTTP GET requests to a different endpoint it works, and I do see the key exchange as expected...

The problem can be related to the client or to the server. It might be that the server only provides a self-signed certificate, a certificate issued by an untrusted CA or does not send the necessary intermediate certificates to build the trust chain. It can also be though that the client simply does not trust the specific CA used by the server will the client trusts the different CA used by a different server.

To solve the issue one thus needs to figure out first what the cause of the problem is by looking at the certificates send by the server and comparing these to the expected root CA in the client setup. Then either fix the client or server setup.