cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Mohammed.Rayan
AppDynamics Team

Symptoms

EUM Server fails to start due to SSL Handshake error when the EUM account synchronizes to the analytics account.

 

Example:

20 May 2017 16:24:50.174 +1000  main                  AD.ALL                     INFO    ------start synchronize eum acct to analytics acct!---------
20 May 2017 16:24:50.177 +1000  main                  AD.AnalyticsAccountManage  INFO    start updating MobileSessionRecord
20 May 2017 16:24:50.388 +1000  main                  AD.AnalyticsAccountManage  ERROR   
 |    failed bulk updating MobileSessionRecord
 |    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 |  at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
 |  at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
 |  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
 |  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
 |  at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
 |  at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
 |  at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
 |  at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
 |  at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
 |  at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
 |  at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
 |  at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
 |  at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
 |  at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
 |  at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
 |  at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
 |  at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
 |  at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
 |  at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
 |  at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
 |  at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
 |  at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
 |  at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
 |  at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
 |  at com.appdynamics.eumcloud.analytics.AnalyticsAccountManager.bulkUpdateAnEventType(AnalyticsAccountManager.java:266)
 |  at com.appdynamics.eumcloud.analytics.AnalyticsAccountManager.bulkUpdateEventTypes(AnalyticsAccountManager.java:229)
 |  at com.appdynamics.eum.processor.EUMProcessorServerApplication.syncEumAccountsToAnalyticsAccounts(EUMProcessorServerApplication.java:233)
 |  at com.appdynamics.eum.processor.EUMProcessorServerApplication.run(EUMProcessorServerApplication.java:173)
 |  at com.appdynamics.eum.processor.EUMProcessorServerApplication.run(EUMProcessorServerApplication.java:114)
 |  at io.dropwizard.cli.EnvironmentCommand.run(EnvironmentCommand.java:42)
 |  at io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:76)
 |  at io.dropwizard.cli.Cli.run(Cli.java:70)
 |  at io.dropwizard.Application.run(Application.java:72)
 |  at com.appdynamics.eumcloud.EUMProcessorServer.main(EUMProcessorServer.java:40)
 |    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 |  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
 |  at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
 |  at sun.security.validator.Validator.validate(Validator.java:260)
 |  at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
 |  at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
 |  at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
 |  at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
 |  ... 29 more
 |    Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 |  at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
 |  at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
 |  at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
 |  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
 |  ... 35 more
 |    
 +---------------------------------------------------------------------------------------

 

Diagnosis

When the EUM Server tries to connect to the Analytics or Events Service, either directly or via a proxy server over SSL, the EUM Server does not trust the incoming certificate. This is due to a missing intermediate or root certificate in the trust keystore of the EUM Server. 

 

Solution

Import the intermediate/root certificates into the trust keystore of the EUM Server. 

 

Example:

<EUM_HOME>/jre/lib/security/cacerts

 

How to import the root & intermediate certificate to the "cacerts" trust keystore

../jre/bin/keytool -import -trustcacerts -alias myorg-rootca -keystore cacerts -file /path/to/CA-cert.txt -storepass changeit


../jre/bin/keytool -import -trustcacerts -alias myorg-interca -keystore cacerts -file /path/to/CA-inter.txt -storepass changeit

 

Relevant Links:

 

Version history
Last update:
‎09-05-2018 04:27 PM
Updated by:
On-Demand Webinar
Discover new Splunk integrations and AI innovations for Cisco AppDynamics.


Register Now!

Observe and Explore
Dive into our Community Blog for the Latest Insights and Updates!


Read the blog here