When using the Call Web Service smart service, it fails to connect to the web service endpoint and the following error is generated in application server log:
INFO [stdout] (ajp-/0.0.0.0:8009-7) com.appiancorp.ws.WSClientException: The WSDL cannot be processed because the remote server's certificate is invalid. Check that the certificate has not expired. (APNX-1-4045-005)
INFO [stdout] (ajp-/0.0.0.0:8009-7) Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The server hosting the web service is not configured to send back a list of client certificate CA names to the client attempting to authenticate. This can be determined by running the following command, where <IP_ADDRESS> and <PORT> are the IP and port used by the server hosting the web service:
openssl s_client -showcerts -connect <IP_ADDRESS>:<PORT>
This will generate an output similar to the following (note that the output shown here has omitted the certificate strings and other information for readability):
No client certificate CA names sent
SSL handshake has read 4567 bytes and written 288 bytes
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Key-Arg : None
Start Time: 1447147689
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
Notice the section that states "No client certificate CA names sent". This indicates that the server is not sending back a list of client certificate CA names, which Appian requires in order to authenticate properly.
This issue has been resolved via AN-57245 in the following Appian hotfixes/versions:
Apply the latest hotfix to your Appian installation or upgrade to the latest version of Appian.
The following workarounds can resolve this issue:
This article applies to Appian 17.1 and older.
Last Reviewed: July 2017
© 2020 Appian. All rights reserved.