KB-2272 PKIX path building failed for Appian RPA agent connection due to a missing certificate in the Java Truststore

Symptoms

When starting the Appian RPA agent, the icon will appear to be gray, which indicates that there is no connection to the site. From the jidoka-client.log in the same folder where the agent was installed, the following trace can be seen:

|ERROR|com.novayre.jidoka.client.JidokaClient.connect:1043|java.io.IOException: Maximum retry attempts reached |...| java.io.IOException: Maximum retry attempts reached
…
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is usually occurs because there is a certificate not trusted by the JVM in your host machine for one of the following reasons:

1. The certificate is self-signed or signed by a private authority. This can happen by injecting the certificate via an external component such as an antivirus, firewall, proxy, etc.
2. The certificate is signed by a Public Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

Since the agent is running in the JVM, the certificate must be added to the Java Truststore. In order to identify the missing certificates, follow the steps below:

1. Stop the agent.
   
2. Add the -Djavax.net.debug=all line to the AppianRPAagent.l4j.ini file.
   1. Note: If this file does not exist in your Appian RPA agent folder, please create it.
      
3. Open a command line window and navigate to your Appian RPA agent folder.
   
4. Run the following command as is AppianRPAagent.exe > jidoka-client-ssl.log 2>&1

5. Stop the agent after 1 minute.
   
6. Remove the line previously added -Djavax.net.debug=all from the AppianRPAagent.l4j.ini.

Open the newly generated jidoka-client-ssl.log to see all the information related with the communication attempt performed and all the certificates failed to validate. The following terms will help you find the required information.

• trustStore is - You will find the path of the truststore used in your JVM.
  
• adding as trusted certificates - After this sentence, you will find all the certificates currently included in your truststore.
  
• PKIX path building failed - In the lines previous to this message, you can see the different certificates failed to be validated with the labels "Issuer" or "subject".

Once the missing certificate has been located, it needs to be added to the Java Truststore. 

1. Locate the keystore location in the JRE.
   Note: Typically this keystore is found in JAVA_HOME\jre\lib\security\ and the default file is cacerts.
   
2. Use the default Java keytool to import the certificate.
   JRE_HOME/bin/keytool  -import  -trustcacerts -alias <certAlias>  -file <certFile> -keystore <trustStoreFilePath>
   
   Please ensure you use the right values in <certAlias>, <certFile> and <trustStoreFilePath>
   
   
3. When prompted, follow the required steps.

   Enter keystore password:

   Default keystore password is: "changeit"
   
   
4. When prompted, follow the required steps.
   

   Trust this certificate? [no]:

   Enter "yes".
   This imports the certificate into the keystore and displays the message:

   Certificate was added to keystore

Please open a support case if you have any questions with any of these steps.

Workaround

If the certificate is injected by an external application in the host machine, such as an antivirus or firewall, then the external application can be reconfigured to skip the certificate injection.

Affected Versions

This article applies to all versions of Appian Cloud.

Last Reviewed: November 2023