Not a customer? Click the 'Start a free trial' link to begin a 30-day SaaS trial of our product and to join our community.
Existing Cisco AppDynamics customers should click the 'Sign In' button to authenticate to access the community
on 06-24-2021 10:31 PM - edited on 05-22-2024 09:11 AM by Ryan.Paredez
When establishing a secure SSL-based connection between your agent and Controller, the agent connectivity may fail with a PKIX error — even if you followed the Enable SSL for the Java Agent documentation instructions. This may be due to configuration in your environment or in the agent.
Even if you followed the instructions in the Enable SSL for the Java Agent documentation, given your environment OR agent configuration, the agent connectivity to your Controller over SSL may fail with the following PKIK error:
[system-thread-0] 02 Jun 2021 07:07:47,848 WARN SystemAgent - Certificate chain validation failed sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target attempting validation.
[system-thread-0] 02 Jun 2021 07:07:47,850 ERROR ControllerTimeSkewHandler - Fatal transport error while connecting to URL [/controller/instance/1265056/current-time]: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[system-thread-0] 02 Jun 2021 07:07:47,850 ERROR ControllerTimeSkewHandler - Error response from controller: Fatal transport error while connecting to URL [/controller/instance/1265056/current-time]
PKIX stands for Public Key Infrastructure X509. Whenever Java attempts to connect to another application over SSL, the connection will only succeed if it can trust the application.
In Java, trust is handled with a keystore, also known as the truststore (typically <agent_home>/<version_number>/conf/cacerts.jks
or <agent_home>/conf/cacerts.jks
in the AppDynamics Agent context). This contains a list of all known certificate authority (CA) certificates, and Java will only trust certificates that are signed by one of the CAs or public certificates that exist within that keystore.
See Explaining the Chain of Trust - Learn What is it & How it Works and PKIX path building failed error message – CloudBees Support to learn more.
The PKIX ‘path building failed’ error can arise due to:
cacerts.jks
), it won’t be able to validate the certificate produced by the Controller. Eventually, the PKIX ‘path building failed’ error will result.
The most convenient solution is to replace the Agent’s current truststore (cacerts.jks
) with a working agent’s truststore (i.e., an agent sitting in the same environment as the non-working agent node in question, but that is communicating fine with the Controller).
To accomplish this:
cacerts.jks
in the non-working agent nodecacerts.jks
from an agent that is working fine and move it to the cacerts.jks
in the non-working agent node’s directory, below :<agent_home>/<version_number>/conf/cacerts.jks
or
<agent_home>/conf/cacerts.jks
If importing the truststore from an agent that is working is not an option, then follow the steps below, under Troubleshooting by manually importing the certificates.
The following steps are a comprehensive approach to the problem.
Review the output of the command below:
If it is a direct connection to the controller:
<jre-home>/bin/keytool -printcert -sslserver <controller-host>:<controller-port> > cert.out
If it is a connection to the controller through a forward proxy:
<jre-home>/bin/keytool -J-Dhttps.proxyHost=<proxy_host> -J-Dhttps.proxyPort=<proxy_port> -printcert -sslserver <controller-host>:<controller-port> > cert.out
If it is a connection to the controller through a reverse proxy:
<jre-home>/bin/keytool -printcert -sslserver <LB_or_reverse_proxy_host>:<LB_or_reverse_proxy_port> > cert.out
These commands will print the content of the certificate being presented by the endpoint that your agent speaks to (given your environment).
As a result, you may see two or more certificates in the certificate chain and metadata for those certificates which get captured in cert.out in the above command.
<jre-home>/bin/keytool -printcert -sslserver <controller-host>:<controller-port> -rfc > cert_rfc.out
<jre-home>/bin/keytool -J-Dhttps.proxyHost=<proxy_host> -J-Dhttps.proxyPort=<proxy_port> -printcert -sslserver <controller-host>:<controller-port> -rfc > cert_rfc.out
<jre-home>/bin/keytool -printcert -sslserver <LB_or_reverse_proxy_host>:<LB_or_reverse_proxy_port> -rfc > cert_rfc.out
cert_rfc.out
file to third party tool KeyStore Explorer and export the root and the intermediate entities' certificates one by one by following the steps as seen under the heading Export a trusted certificate.Export Certificate from entry <your-certificate-name-selected-in-step1>
. With Export Format as X.509 and PEM options selected, click on Export.keytool -import -file root_ca.pem -alias root_ca -keystore cacerts.jks -storepass changeit
keytool -import -file intermediate1.pem -alias intermediate1 -keystore cacerts.jks -storepass changeit
keytool -import -file intermediate2.pem -alias intermediate2 -keystore cacerts.jks -storepass changeit
In the above code snippet, most of the time it will be enough to just import the root certificate. In rare cases, you might want to import the intermediate certificates as well.
keytool -import -alias rootCA -file <root_certificate_file_name> -keystore <agent_home>/<version_number>/conf/cacerts.jks -storepass changeit
For example: keytool -import -alias digicertglobalrootCA -file DigiCertGlobalRootCA.crt.pem -keystore <agent_home>/<version_number>/conf/cacerts.jks -storepass changeit
keytool -import -alias digicertglobalrootG2 -file DigiCertGlobalRootG2.crt.pem -keystore <agent_home>/<version_number>/conf/cacerts.jks -storepass changeit
keytool -import -alias digicertglobalrootG3 -file DigiCertGlobalRootG3.crt.pem -keystore <agent_home>/<version_number>/conf/cacerts.jks -storepass changeit
keytool -import -alias identrust -file <file_name_for_IdenTrust_Commercial_Root_CA_1> -keystore <agent_home>/<version_number>/conf/cacerts.jks -storepass changeit
If you continue to see the PKIX errors in the agent log even after importing the correct certificates, please contact AppDynamics Support.
Can you edit your original comment and add config path for machine agent as well for certs (<MachineAgentHomeDir>/conf)
Thanks,
Vijay
Hello, @Vijay.Venkatarajulu and @Madhup.Srivastawa - The article has been updated.
Claudia Landivar
Community Manager & Editor
Thanks @Madhup.Srivastawa and @Claudia.Landivar
Sure thing, @Vijay.Venkatarajulu — thanks for pointing out the improvement.
Thank you! Your submission has been received!
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form