Verifying what certificate v24 agents are using over Cloud
search cancel

Verifying what certificate v24 agents are using over Cloud

book

Article ID: 370972

calendar_today

Updated On:

Products

Automic SaaS CA Automic Workload Automation - Automation Engine

Issue/Introduction

When connecting a new v24 agent to a new system, especially over cloud, generates the following error.

20240611/152025.529 - U00045014 Exception 'java.util.concurrent.ExecutionException: "javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"' at 'java.util.concurrent.CompletableFuture.reportGet():396'.
20240611/152025.547 - U00045015 The previous error was caused by 'javax.net.ssl.SSLHandshakeException: "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"' at 'sun.security.ssl.Alert.createSSLException():131'.
20240611/152025.547 - U00045015 The previous error was caused by 'sun.security.validator.ValidatorException: "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"' at 'sun.security.validator.PKIXValidator.doBuild():439'.
20240611/152025.548 - U00045015 The previous error was caused by 'sun.security.provider.certpath.SunCertPathBuilderException: "unable to find valid certification path to requested target"' at 'sun.security.provider.certpath.SunCertPathBuilder.build():148'.
20240611/152025.549 - U02000380 Could not connect to server 'aeserver.automic.com/<unresolved>:443'.
20240611/152025.549 - U02000074 Connecting to system 'AUTOMIC' is not possible. 

Cause

The error shows that the information in the certificate does not match the server that the agent is trying to connect to.

Resolution

1: Start the agent with the following command:

java -Djavax.net.debug=all -jar ucxjoss.jar > out.txt 2>&1

This will most likely fail, but capture the out.txt, agent log & trace (tcp=9).


2: Add the following in the agent ini file

trustedCertFolder=./trustedcert

Now create this trustedcert folder in the agent bin directory so it matches the value from the .ini file and (if doing it over the cloud, all public certificates in the chain - 3 certificates) in the trusted cert folder.


3. Important - start the agent via the binary:

./ucxjlx6


After starting check that agent log file is using the certificate that you need - U02000377 will point to it. This is on the agent side.

20240620/085517.830 - 1      U02000377 Certificate loaded from file 'Base64-encoded ASCII, certificate chain.crt'.
20240620/085517.830 - 1      U02000377 Certificate loaded from file 'DigiCert Global.crt'.
20240620/085517.831 - 1      U02000377 Certificate loaded from file 'aeserver.automic.com.crt'.



The out.txt generated will show more information about what is actually being used. The debug generated by out.txt will show the certificate details. Searching for "issuer" will show you what is the certificate being used.

If it does not match the certificates listed under U02000377, a device in the network might have doing a TLS termination and re-packing the traffic back to the internal network with an internally signed certificate rather than the required certificate signed.



javax.net.ssl|DEBUG|41|HttpClient-1-Worker-0|2024-06-20 14:47:46.806 MDT|CertificateMessage.java:366|Consuming server Certificate handshake message (
"Certificates": [
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "0000000000000000000000000000000",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "[email protected],",
    "not before"         : "2024-03-04 17:00:00.000 MST",
    "not  after"         : "2025-04-05 17:59:59.000 MDT",
    "subject"            : "CN=*.PublicCAsigner",

 

Note the value for the issuer:

"issuer"             : [email protected],

On a normal TLS session setup it should look like:
 

javax.net.ssl|DEBUG|13|HttpClient-1-Worker-0|2024-06-20 10:19:07.889 CDT|CertificateMessage.java:1172|Consuming server Certificate handshake message (
"Certificate": {
  "certificate_request_context": "",
  "certificate_list": [  
  {
    "certificate" : {
      "version"            : "v3",
      "serial number"      : "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00",
      "signature algorithm": "SHA256withRSA",
      "issuer"             : "CN=CorrectCertificate, O=Org",
      "not before"         : "2024-01-29 18:00:00.000 CST",
      "not  after"         : "2025-03-01 17:59:59.000 CST",
      "subject"            : "CN=*.PublicCAsigner",

 

Once the network team white-listed the certificate, the agent will be able to start and authenticate with AWI.   

Powered by Wolken Software