Knowledge Base

cancel
Showing results for 
Search instead for 
Did you mean: 

The EUM Server fails to start due to a SSL Handshake error when EUM synchronizes to Analytics. What should I do?

Symptoms

EUM Server fails to start due to SSL Handshake error when the EUM account synchronizes to the analytics account.

 

Example:

20 May 2017 16:24:50.174 +1000  main                  AD.ALL                     INFO    ------start synchronize eum acct to analytics acct!---------
20 May 2017 16:24:50.177 +1000  main                  AD.AnalyticsAccountManage  INFO    start updating MobileSessionRecord
20 May 2017 16:24:50.388 +1000  main                  AD.AnalyticsAccountManage  ERROR   
 |    failed bulk updating MobileSessionRecord
 |    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 |  at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
 |  at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
 |  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
 |  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
 |  at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
 |  at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
 |  at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
 |  at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
 |  at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
 |  at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
 |  at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
 |  at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
 |  at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
 |  at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
 |  at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
 |  at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
 |  at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
 |  at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
 |  at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
 |  at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
 |  at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
 |  at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
 |  at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
 |  at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
 |  at com.appdynamics.eumcloud.analytics.AnalyticsAccountManager.bulkUpdateAnEventType(AnalyticsAccountManager.java:266)
 |  at com.appdynamics.eumcloud.analytics.AnalyticsAccountManager.bulkUpdateEventTypes(AnalyticsAccountManager.java:229)
 |  at com.appdynamics.eum.processor.EUMProcessorServerApplication.syncEumAccountsToAnalyticsAccounts(EUMProcessorServerApplication.java:233)
 |  at com.appdynamics.eum.processor.EUMProcessorServerApplication.run(EUMProcessorServerApplication.java:173)
 |  at com.appdynamics.eum.processor.EUMProcessorServerApplication.run(EUMProcessorServerApplication.java:114)
 |  at io.dropwizard.cli.EnvironmentCommand.run(EnvironmentCommand.java:42)
 |  at io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:76)
 |  at io.dropwizard.cli.Cli.run(Cli.java:70)
 |  at io.dropwizard.Application.run(Application.java:72)
 |  at com.appdynamics.eumcloud.EUMProcessorServer.main(EUMProcessorServer.java:40)
 |    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 |  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
 |  at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
 |  at sun.security.validator.Validator.validate(Validator.java:260)
 |  at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
 |  at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
 |  at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
 |  at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
 |  ... 29 more
 |    Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 |  at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
 |  at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
 |  at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
 |  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
 |  ... 35 more
 |    
 +---------------------------------------------------------------------------------------

 

Diagnosis

When the EUM Server tries to connect to the Analytics or Events Service, either directly or via a proxy server over SSL, the EUM Server does not trust the incoming certificate. This is due to a missing intermediate or root certificate in the trust keystore of the EUM Server. 

 

Solution

Import the intermediate/root certificates into the trust keystore of the EUM Server. 

 

Example:

<EUM_HOME>/jre/lib/security/cacerts

 

How to import the root & intermediate certificate to the "cacerts" trust keystore

../jre/bin/keytool -import -trustcacerts -alias myorg-rootca -keystore cacerts -file /path/to/CA-cert.txt -storepass changeit


../jre/bin/keytool -import -trustcacerts -alias myorg-interca -keystore cacerts -file /path/to/CA-inter.txt -storepass changeit

 

Relevant Links:

 

Version history
Revision #:
5 of 5
Last update:
‎09-05-2018 04:27 PM
Updated by:
 
Labels (1)
0 Kudos