ssl

Common SSL Issues

  

1. SSLException : PKIX Path Exception

Trace :

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
..
..
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


Workaround :
Follow the steps for Generating the self-signed certificate to connect to secured server                                                                                     

Validation :
If the issue is persistent even  after performing the steps, please open the jssecacert file (default password : changeit) in keystore explorer tool, and check for an entry for the hostname for which gencert procedure was done. If th entry is there alright, please check if the certificate fingerprint is same as that of the one seen while inspecting certificate of that host in browser.

 

 

2. SSLException : No Subject Alternative DNS matching Exception

Trace :

 

  javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching xxxx-xxx.com found.

   

Workaround : Customer should access the target application server as  xxxx-xxx.com or add "xxxx-xxx.com" to either Subject or Subject Alternative Name attribute of the SSL certificate and reimport the the certificate it into SDP from Admin > Import SSL Certificate. Refer to this KB article for generating keystore with SAN switch.


Note : If the SDP/AE application url is the target url and customer is using the default self-signed certificate for our application, follow
Generating Self-Signed certificate with desired alias name. For example, in custom function scripts we may encounter the above issue while invoking our application's API, here we have to either change the url used for invoking or update SDP/AE application's certificate.                                                

Validation :
Check by opening the certificate/accessing in browser for inspecting the Subject Alternative Name extension present in Certificate Details. Please check the url used in the browser and the url used in the hostname in order to ensure if the hostname used for accessing the url is compliant with the value present in Subject Alternative Name. It may contain wildcard values like *.example.com in which case, any hostname ending with example.com is compliant.

 

 

3. Generating SSL .keystore file example



4. Generating Self-Signed certificate with desired alias name 

 

This use case is commonly needed for customers using default HTTPS option which generates the certificate with machine name as subject. Alternatively, a certificate can be generated by following the below steps -

1. Ensure server is running in HTTPS mode (else change to HTTPS mode)
2. Open the console from <SDP_HOME>/jre/bin
3. Run the below command -
keytool.exe -genkey -alias asc -keyalg RSA -keypass sdpsecured -keystore sdp.keystore -storepass sdpsecured -dname  "CN=<alias_name>,OU=ServiceDesk Plus, O=Zoho Corporation, L=Pleasanton, S=CA, C=US" -validity 36500  -ext san=dns:"<alias_name>"
4. Cut the generated <SDP_HOME>/jre/bin/sdp.keystore file and replace in conf directory.  
 
5. Examining .keystore/.pfx/.key files
The need to examine could arise for many reasons, like checking the imported SSL certificate due to failures, converting/ extracting the certificate formats or examing truststore file like jsssecacert file. Please check this KB for brief on keystore explorer.

6. Connection timed out
Trace :

[09:57:40:317]|[02-28-2024]|[SYSERR]|[INFO]|[454]: java.net.ConnectException: Connection timed out: connect|
....
[09:57:40:317]|[02-28-2024]|[SYSERR]|[INFO]|[454]:
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)|
[09:57:40:317]|[02-28-2024]|[SYSERR]|[INFO]|[454]:
at java.net.Socket.connect(Socket.java:613)|
[09:57:40:317]|[02-28-2024]|[SYSERR]|[INFO]|[454]:     at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:293)|

Following needs to be checked,
  1. Find the url for which the connection timeout is happening.
  2. Whether the url is accessible from the application server in browser ?
  3. Is there any proxy-settings configured in his environment?
From the response  following course of action can be checked in order to resolve the issue,
  1. If proxy is present and the url is accessible in browser of application server, we can ask him to configure the same proxy in Admin> Proxy settings.
  2. If no proxy is present and url is not reachable, we can ask the customer to check with their network team regarding whitelisting of this url, so that it is accessible.


                  New to ADSelfService Plus?

                    • Related Articles

                    • Step-by-step: SSL Installation

                      In ServiceDesk Plus, we use a keystore file to store the private key and this keystore file will be used by the web server to secure the connections. Below are the steps that needs to be followed to generate a keystore file and install the ...
                    • How to install SSL certificate in AssetExplorer

                      SSL Installation Do you have a Wildcard or a Multi-domain certificate already running in your other servers and want to reinstall in on AssetExplorer server ?, then click here to find how to export SSL certificate using MMC.  Do you already have a ...
                    • Mail fetching failed - PKIX path building failed.

                      Cause: If the SSL Certificate in mail server is a self signed certificate then it is not imported in the ServiceDeskPlus-MSP java environment while using the POPS/IMAPS protocol. Error Trace in logs: javax.net.ssl.SSLHandshakeException: ...
                    • Zoho Reports sync failure_PKIX path building failed

                      While syncing Zoho Reports, this error may appear where the self-signed certificate to sync both Zoho Reports and SDP MSP will be missing. These traces (mentioned below) can be viewed in the file zrmeinteglog0.txt under the location ...
                    • How do I install SSL certificate for ServiceDeskPlus-MSP?

                      Introduction ServiceDesk Plus - MSP can run as a HTTPS service. But it requires a SSL (Secure Socket Layer) Certificate signed by a valid Certificate Authority (CA). By default, on a first-time start-up, it creates a self-signed certificate. This ...