After installing APM 10.7 HF 24. seeing in logs repeating PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Continuation of case 01265846
The issue is that the customer's trust store does not contain the appropriate certificate. . Their Jetty configuration specifies their own key store but they kept the trust store unchanged. Inspecting the trust stores shows that they are unmodified from how they were delivered by installer.
Import the "CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE" certificate---the root CA certificate for their server certificate---into the config/internal/server/keystore so that it can be used to trust certificates sent by other parts of the cluster. This root CA is part of the JRE that is shipped with EM, so they can export if from jre/lib/security/cacerts with "keytool -exportcert -v -alias addtrustexternalca -file addtrustexternalca.crt -keystore cacerts -storepass changeit" and then import it into config/internal/server/keystore with "keytool -importcert -v -trustcacerts -alias addtrustexternalca -storepass password -keystore keystore -file addtrustexternalca.crt".