ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Error in CloudProxy connecting to CloudGateway - SSLHandshakeException unable to findvalid certification path to requested target

book

Article ID: 137363

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope) INTROSCOPE

Issue/Introduction

Error in CloudProxy connecting to CloudGateway:


2019-09-16 13:41:19.663 ERROR 30799 ---[nioEventLoopGroup-3-19]c.c.a.c.w.WebSocketClientHandler        : [id: 0x92273e6f, L:/22.0.1.65:48672 !R:apmservices-cloudgw.apm.dxi.aacc.corp/22.0.1.57:443] Exception:javax.net.ssl.SSLHandshakeException: PKIX path building failed:sun.security.provider.certpath.SunCertPathBuilderException: unable to findvalid certification path to requested target

 

io.netty.handler.codec.DecoderException:javax.net.ssl.SSLHandshakeException: PKIX path building failed:sun.security.provider.certpath.SunCertPathBuilderException: unable to findvalid certification path to requested target

               atio.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472)~[netty-all-4.1.30.Final.jar:4.1.30.Final]

               atio.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278)~[netty-all-4.1.30.Final.jar:4.1.30.Final]


Cause

The certificate presented by their installation is not considered as valid (not properly signed, most probably self-signed). Therefore by default refused.




Environment

Release: APM 11


Resolution


1. Open config/application.yml in the APM CloudProxy installation directory. 

2. Uncomment apm.server.proxyInsecure and change the value to true. 

This will skip server certificate validation. 


NOTE: apm.server.proxyInsecure   - Set to true to ignore certificates on the apmservices.cloudgw side. Recommended for testing with self-signed certificates.


3. You must restart the proxy.

Additional Information

In Workstation and Agent, if no truststore is specified, the server is automatically trusted:

- Workstation - https://docops.ca.com/ca-apm/10-7/en/administrating/configure-the-workstation/http-tunneling-and-ssl

- Agent - https://docops.ca.com/ca-apm/10-7/en/implementing-agents/java-agent/java-agent-properties 


This is not the case for cloud proxy, it is secure by default. If you want to connect to a server with an invalid certificate, apm.server.proxyInsecure=true configuration must be used.