KB-1973 Adding a connected environment fails with "URL did not return valid public key" error

Symptoms

Adding a connected environment in the Admin Console for an Appian environment that has trusted IPs configured fails with the following error:

The following error is also observed in the application server log: 

ERROR com.appiancorp.connectedenvironments.logging.DevOpsInfrastructureAuditLogger -  class="error">[ERROR, null, null, https://<other_site_subdomain>.appiancloud.com/suite, OUTGOING, null, null, null, null, null, null, null, null, null, URL did not return a valid public key: https://<other_site_subdomain>.appiancloud.com/suite]

The following PKIX error may also be present in the application server log:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

There are two potential causes that could result in this issue:

  1. If the PKIX error is present, then there is an issue with the certificate for the remote environment attempting to establish a Devops: Infrastructure connection. The web server certificates on both the first site and secondary site must be valid, and must be trusted by the other site respectively.
  2. The second cause relates to trusted IPs and will differ based on installation type:

Cloud

The Appian Cloud region IP addresses have not been added to the other environment's IP allow list and connection attempts are being blocked.

Self-managed

Certain URL paths under /suite that are used by the Devops: Infrastructure connection are being blocked. 

Action

  1. To address any issues with the certificates for each site, follow the steps outlined in KB-1187 to have the web server certificates for each site added to the other site's default JDK trust store.
  2. To address the issue with trusted IPs, follow the below steps based on installation type:

Cloud

Open a case with Appian Support to add the Appian Cloud region's IP addresses to the environment being added as a connected environment. See KB-1582 for specific IP addresses to add based on region.

Self-managed

Ensure that any URL starting with the following pattern is exempt from any allow list on both servers involved with the Devops: Infrastructure operation:

https://<other_site_URL>/suite/devops-infrastructure/

Affected Versions

This article applies to Appian versions 19.1 and later.

Last Reviewed: June 2020

Related
Recommended