KB-2272 PKIX path building failed for Appian RPA agent connection due to a missing certificate in the Java Truststore

pauline.delacruz — Thu, 09 Nov 2023 17:50:17 GMT

Current Revision posted to Appian Knowledge Base by pauline.delacruz on 11/9/2023 5:50:17 PM

Symptoms

When starting the Appian RPA agent, the icon will appear to be gray, which indicates that there is no connection to the site. From the jidoka-client.log in the same folder where the agent was installed, the following trace can be seen:

|ERROR|com.novayre.jidoka.client.JidokaClient.connect:1043|java.io.IOException: Maximum retry attempts reached |...| java.io.IOException: Maximum retry attempts reached
…
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is usually occurs because there is a certificate not trusted by the JVM in your host machine for one of the following reasons:

The certificate is self-signed or signed by a private authority. This can happen by injecting the certificate via an external component such as an antivirus, firewall, proxy, etc.
The certificate is signed by a Public Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

Since the agent is running in the JVM, the certificate must be added to the Java Truststore. In order to identify the missing certificates, follow the steps below:

Stop the agent.
Add the -Djavax.net.debug=all line to the AppianRPAagent.l4j.ini file.
1. Note: If this file does not exist in your Appian RPA agent folder, please create it.
Open a command line window and navigate to your Appian RPA agent folder.
Run the following command as is AppianRPAagent.exe > jidoka-client-ssl.log 2>&1
Stop the agent after 1 minute.
Remove the line previously added -Djavax.net.debug=all from the AppianRPAagent.l4j.ini.

Open the newly generated jidoka-client-ssl.log to see all the information related with the communication attempt performed and all the certificates failed to validate. The following terms will help you find the required information.

trustStore is - You will find the path of the truststore used in your JVM.
adding as trusted certificates - After this sentence, you will find all the certificates currently included in your truststore.
PKIX path building failed - In the lines previous to this message, you can see the different certificates failed to be validated with the labels "Issuer" or "subject".

Once the missing certificate has been located, it needs to be added to the Java Truststore.

Locate the keystore location in the JRE.
Note: Typically this keystore is found in JAVA_HOME\jre\lib\security\ and the default file is cacerts.
Use the default Java keytool to import the certificate.
JRE_HOME/bin/keytool -import -trustcacerts -alias <certAlias> -file <certFile> -keystore <trustStoreFilePath>

Please ensure you use the right values in <certAlias>, <certFile> and <trustStoreFilePath>
When prompted, follow the required steps.
```
Enter keystore password:
```
Default keystore password is: "changeit"
When prompted, follow the required steps.
```
Trust this certificate? [no]:
```
Enter "yes".
This imports the certificate into the keystore and displays the message:
```
Certificate was added to keystore
```

Please open a support case if you have any questions with any of these steps.

Workaround

If the certificate is injected by an external application in the host machine, such as an antivirus or firewall, then the external application can be reconfigured to skip the certificate injection.

Affected Versions

This article applies to all versions of Appian Cloud.

Last Reviewed: November 2023

Tags: java, Appian RPA, infrastructure, Certificate

KB-2272 PKIX path building failed for Appian RPA agent connection due to a missing certificate in the Java Truststore

pauline.delacruz — Thu, 09 Nov 2023 17:49:33 GMT

Revision 9 posted to Appian Knowledge Base by pauline.delacruz on 11/9/2023 5:49:33 PM

Symptoms

|ERROR|com.novayre.jidoka.client.JidokaClient.connect:1043|java.io.IOException: Maximum retry attempts reached |...| java.io.IOException: Maximum retry attempts reached
…
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is usually occurs because there is a certificate not trusted by the JVM in your host machine for one of the following reasons:

The certificate is self-signed or signed by a private authority. This can happen by injecting the certificate via an external component such as an antivirus, firewall, proxy, etc.
The certificate is signed by a Public Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

Since the agent is running in the JVM, the certificate must be added to the Java Truststore. In order to identify the missing certificates, follow the steps below:

Stop the agent.
Add the -Djavax.net.debug=all line to the AppianRPAagent.l4j.ini file.
1. Note: If this file does not exist in your Appian RPA agent folder, please create it.
Open a command line window and navigate to your Appian RPA agent folder.
Run the following command as is AppianRPAagent.exe > jidoka-client-ssl.log 2>&1
Stop the agent after 1 minute.
Remove the line previously added -Djavax.net.debug=all from the AppianRPAagent.l4j.ini.

trustStore is - You will find the path of the truststore used in your JVM.
adding as trusted certificates - After this sentence, you will find all the certificates currently included in your truststore.
PKIX path building failed - In the lines previous to this message, you can see the different certificates failed to be validated with the labels "Issuer" or "subject".

Once the missing certificate has been located, it needs to be added to the Java Truststore.

Locate the keystore location in the JRE.
Note: Typically this keystore is found in JAVA_HOME\jre\lib\security\ and the default file is cacerts.
Use the default Java keytool to import the certificate.
JRE_HOME/bin/keytool -import -trustcacerts -alias <certAlias> -file <certFile> -keystore <trustStoreFilePath>

Please ensure you use the right values in <certAlias>, <certFile> and <trustStoreFilePath>
When prompted, follow the required steps.
```
Enter keystore password:
```
Default keystore password is: "changeit"
When prompted, follow the required steps.
```
Trust this certificate? [no]:
```
Enter "yes".
This imports the certificate into the keystore and displays the message:
```
Certificate was added to keystore
```

Please open a support case if you have any questions with any of these steps.

Workaround

If the certificate is injected by an external application in the host machine, such as an antivirus or firewall, then the external application can be reconfigured to skip the certificate injection.

Affected Versions

This article applies to all versions of Appian Cloud.

Last Reviewed: November 2023

Tags: java, Appian RPA, infrastructure, Certificate

KB-2272 PKIX path building failed for Appian RPA agent connection due to a missing certificate in the Java Truststore

pauline.delacruz — Thu, 09 Nov 2023 17:43:54 GMT

Revision 8 posted to Appian Knowledge Base by pauline.delacruz on 11/9/2023 5:43:54 PM

Symptoms

|ERROR|com.novayre.jidoka.client.JidokaClient.connect:1043|java.io.IOException: Maximum retry attempts reached |...| java.io.IOException: Maximum retry attempts reached
…
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is usually occurs because there is a certificate not trusted by the JVM in your host machine for one of the following reasons:

The certificate is self-signed or signed by a private authority. This can happen by injecting the certificate via an external component such as an antivirus, firewall, proxy, etc.
The certificate is signed by a Public Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

Since the agent is running in the JVM, the certificate must be added to the Java Truststore. In order to identify the missing certificates, follow the steps below:

Stop the agent.
Add the -Djavax.net.debug=all line to the AppianRPAagent.l4j.ini file.
1. Note: If this file does not exist in your Appian RPA agent folder, please create it.
Open a command line window and navigate to your Appian RPA agent folder.
Run the following command as is AppianRPAagent.exe > jidoka-client-ssl.log 2>&1
Stop the agent after 1 minute.
Remove the line previously added -Djavax.net.debug=all from the AppianRPAagent.l4j.ini.

trustStore is - You will find the path of the truststore used in your JVM.
adding as trusted certificates - After this sentence, you will find all the certificates currently included in your truststore.
PKIX path building failed - In the lines previous to this message, you can see the different certificates failed to be validated with the labels "Issuer" or "subject".

Once the missing certificate has been located, it needs to be added to the Java Truststore.

Locate the keystore location in the JRE.
Note: Typically this keystore is found in JAVA_HOME\jre\lib\security\ and the default file is cacerts.
Use the default Java keytool to import the certificate.
JRE_HOME/bin/keytool -import -trustcacerts -alias <certAlias> -file <certFile> -keystore <trustStoreFilePath>

Please ensure you use the right values in <certAlias>, <certFile> and <trustStoreFilePath>
When prompted, follow the required steps.
```
Enter keystore password:
```
Default keystore password is: "changeit"
When prompted, follow the required steps.
```
Trust this certificate? [no]:
```
Enter "yes".
This imports the certificate into the keystore and displays the message:
```
Certificate was added to keystore
```

Please open a support case if you have any questions with any of these steps.

Workaround

If the certificate is injected by any specific application in the host machine, such as an antivirus or firewall, they can be configured in order to allow the connection.

Affected Versions

This article applies to all versions of Appian Cloud.

Last Reviewed: November 2023

Tags: java, Appian RPA, infrastructure, Certificate

[DRAFT SP-8344] KB-XXXX PKIX path building failed for Appian RPA agent connection due to a missing certificate in the Java Truststore

pauline.delacruz — Tue, 05 Sep 2023 20:37:16 GMT

Revision 7 posted to Appian Knowledge Base by pauline.delacruz on 9/5/2023 8:37:16 PM

Symptoms

|ERROR|com.novayre.jidoka.client.JidokaClient.connect:1043|java.io.IOException: Maximum retry attempts reached |...| java.io.IOException: Maximum retry attempts reached
…
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is usually occurs because there is a certificate not trusted by the JVM in your host machine for one of the following reasons:

The certificate is self-signed or signed by a private authority, which can be injected by an external component such as an antivirus, firewall, proxy, etc.
The certificate is signed by a Public Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

Since the agent is running in the JVM, the certificate must be added to the Java Truststore. In order to identify the missing certificates, follow the steps below:

Stop the agent.
Add the -Djavax.net.debug=all line to the AppianRPAagent.l4j.ini file.
1. Note: If this file does not exists in your Appian RPA agent folder, please create it.
Open a command line window and navigate to your Appian RPA agent folder.
Run the following command as is AppianRPAagent.exe > jidoka-client-ssl.log 2>&1
Stop the agent after 1 minute.
Remove the line previously added -Djavax.net.debug=all from the AppianRPAagent.l4j.ini.

trustStore is - You will find the path of the truststore used in your JVM.
adding as trusted certificates - After this sentence, you will find all the certificates currently included in your truststore.
PKIX path building failed - In the lines previous to this message, you can see the different certificates failed to be validated with the labels "Issuer" or "subject".

Once the missing certificate has been located, it needs to be added to the Java Truststore.

Locate the keystore location in the JRE.
Note: Typically this keystore is found in JAVA_HOME\jre\lib\security\ and the default file is cacerts.
Use the default Java keytool to import the certificate.
JRE_HOME/bin/keytool -import -trustcacerts -alias <certAlias> -file <certFile> -keystore <trustStoreFilePath>

Please ensure you use the right values in <certAlias>, <certFile> and <trustStoreFilePath>
When prompted, follow the required steps.
```
Enter keystore password:
```
Default keystore password is: "changeit"
When prompted, follow the required steps.
```
Trust this certificate? [no]:
```
Enter "yes".
This imports the certificate into the keystore and displays the message:
```
Certificate was added to keystore
```

Please open a support case if you have any questions with any of these steps.

Workaround

If the certificate is injected by any specific application in the host machine, such as an antivirus or firewall, they can be configured in order to allow the connection.

Affected Versions

This article applies to all versions of Appian Cloud.

Last Reviewed: September 2023

Tags: java, Appian RPA, infrastructure, Certificate

[DRAFT SP-8344] KB-XXXX PKIX path building failed for Appian RPA agent connection due to a missing certificate in the Java Truststore

pauline.delacruz — Tue, 05 Sep 2023 15:27:27 GMT

Revision 6 posted to Appian Knowledge Base by pauline.delacruz on 9/5/2023 3:27:27 PM

Symptoms

|ERROR|com.novayre.jidoka.client.JidokaClient.connect:1043|java.io.IOException: Maximum retry attempts reached |...| java.io.IOException: Maximum retry attempts reached
…
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is usually occurs because there is a certificate not trusted by the JVM in your host machine for one of the following reasons:

The certificate is self-signed or signed by a private authority, which can be injected by an external component such as an antivirus, firewall, proxy, etc.
The certificate is signed by a Public Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

Since the agent is running in the JVM, the certificate must be added to the Java Truststore. In order to identify the missing certificates, follow the steps below:

Stop the agent.
Add the -Djavax.net.debug=all line to the AppianRPAagent.l4j.ini file.
1. Note: If this file does not exists in your Appian RPA agent folder, please create it.
Open a command line window and navigate to your Appian RPA agent folder.
Run the following command as is AppianRPAagent.exe > jidoka-client-ssl.log 2>&1
Stop the agent after 1 minute.
Remove the line previously added -Djavax.net.debug=all from the AppianRPAagent.l4j.ini.

trustStore is - You will find the path of the truststore used in your JVM.
adding as trusted certificates - After this sentence, you will find all the certificates currently included in your truststore.
PKIX path building failed - In the lines previous to this message, you can see the different certificates failed to be validated with the labels "Issuer" or "subject".

Once the missing certificate has been located, it needs to be added to the Java Truststore.

Locate the keystore location in the JRE.
Note: Typically this keystore is found in JAVA_HOME\jre\lib\security\ and the default file is cacerts.
Use the default Java keytool to import the certificate.
JRE_HOME/bin/keytool -import -trustcacerts -alias <certAlias> -file <certFile> -keystore <trustStoreFilePath>

Please ensure you use the right values in <certAlias>, <certFile> and <trustStoreFilePath>
When prompted, follow the required steps.
```
Enter keystore password:
```
Default keystore password is: "changeit"
When prompted, follow the required steps.
```
Trust this certificate? [no]:
```
Enter "yes".
This imports the certificate into the keystore and displays the message:
```
Certificate was added to keystore
```

Please open a case with Appian Support if you have any questions with any of these steps.

Workaround

If the certificate is injected by any specific application in the host machine, such as an antivirus or firewall, they can be configured in order to allow the connection.

Affected Versions

This article applies to all versions of Appian Cloud.

Last Reviewed: September 2023

Tags: java, Appian RPA, infrastructure, Certificate

[DRAFT SP-8344] KB-XXXX PKIX path building failed for Appian RPA agent connection due to a missing certificate in the Java Truststore

pauline.delacruz — Thu, 31 Aug 2023 14:37:22 GMT

Revision 5 posted to Appian Knowledge Base by pauline.delacruz on 8/31/2023 2:37:22 PM

Symptoms

|ERROR|com.novayre.jidoka.client.JidokaClient.connect:1043|java.io.IOException: Maximum retry attempts reached |...| java.io.IOException: Maximum retry attempts reached
…
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is usually occurs because there is a certificate not trusted by the JVM in your host machine for one of the following reasons:

The certificate is self-signed or signed by a private authority, which can be injected by an external component such as an antivirus, firewall, proxy, etc.
The certificate is signed by a Public Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

Since the agent is running in the JVM, the certificate must be added to the Java Truststore. In order to identify the missing certificates, follow the steps below:

Stop the agent.
Add the -Djavax.net.debug=all line to the AppianRPAagent.l4j.ini file.
1. Note: If this file does not exists in your Appian RPA agent folder, please create it.
Open a command line window and navigate to your Appian RPA agent folder.
Run the following command as is AppianRPAagent.exe > jidoka-client-ssl.log 2>&1
Stop the agent after 1 minute.
Remove the line previously added -Djavax.net.debug=all from the AppianRPAagent.l4j.ini.

trustStore is - You will find the path of the truststore used in your JVM.
adding as trusted certificates - After this sentence, you will find all the certificates currently included in your truststore.
PKIX path building failed - In the lines previous to this message, you can see the different certificates failed to be validated with the labels "Issuer" or "subject".

Once the missing certificate has been located, it needs to be added to the Java Truststore.

Locate the keystore location in the JRE.
Note: Typically this keystore is found in JAVA_HOME\jre\lib\security\ and the default file is cacerts.
Use the default Java keytool to import the certificate.
JRE_HOME/bin/keytool -import -trustcacerts -alias <certAlias> -file <certFile> -keystore <trustStoreFilePath>

Please ensure you use the right values in <certAlias>, <certFile> and <trustStoreFilePath>
When prompted, follow the required steps.
```
Enter keystore password:
```
Default keystore password is: "changeit"
When prompted, follow the required steps.
```
Trust this certificate? [no]:
```
Enter "yes".

This imports the certificate into the keystore and displays the message:
```
Certificate was added to keystore
```

Please open a case with Appian Support if you have any questions with any of these steps.

Workaround

If the certificate is injected by any specific application in the host machine, such as an antivirus or firewall, they can be configured in order to allow the connection.

Affected Versions

This article applies to all versions of Appian Cloud.

Last Reviewed: August 2023

Tags: java, Appian RPA, infrastructure, Certificate

[DRAFT SP-8344] KB-XXXX PKIX path building failed for Appian RPA agent connection due to a missing certificate in the Java Truststore

pauline.delacruz — Tue, 29 Aug 2023 17:56:15 GMT

Revision 4 posted to Appian Knowledge Base by pauline.delacruz on 8/29/2023 5:56:15 PM

Symptoms

|ERROR|com.novayre.jidoka.client.JidokaClient.connect:1043|java.io.IOException: Maximum retry attempts reached |...| java.io.IOException: Maximum retry attempts reached
…
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is usually occurs because there is a certificate not trusted by the JVM in your host machine for one of the following reasons:

The certificate is self-signed or signed by a private authority, which can be injected by an external component such as an antivirus, firewall, proxy, etc.
The certificate is signed by a Public Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

Since the agent is running in the JVM, the certificate must be added to the Java Truststore. In order to identify the missing certificates, follow the steps below:

Stop the agent.
Add the -Djavax.net.debug=all line to the AppianRPAagent.l4j.ini file. If this file does not exists in your Appian RPA agent folder, please create it.
Open a command line window and navigate to your Appian RPA agent folder.
Run the following command as is AppianRPAagent.exe > jidoka-client-ssl.log 2>&1
Stop the agent after ~30 seconds.
Remove the line previously added -Djavax.net.debug=all from the AppianRPAagent.l4j.ini.

trustStore is - You will find the path of the truststore used in your JVM.
adding as trusted certificates - After this sentence, you will find all the certificates currently included in your truststore.
PKIX path building failed - In the lines previous to this message, you can see the different certificates failed to be validated with the labels "Issuer" or "subject".

Once the missing certificate has been located, it needs to be added to the Java Truststore.

Locate the keystore location in the JRE.
Typically this keystore is at JAVA_HOME\jre\lib\security\ and the default file is cacerts.
Run the standard keytool to import the certificate,
JRE_HOME/bin/keytool -import -trustcacerts -alias <certAlias> -file <certFile> -keystore <trustStoreFilePath>

Please ensure you use the right values in <certAlias>, <certFile> and <trustStoreFilePath>
When prompted, follow the required steps.
```
Enter keystore password:
```
Default keystore password is: "changeit"
When prompted, follow the required steps.
```
Trust this certificate? [no]:
```
Enter "yes".

This imports the certificate into the keystore and displays the message:
```
Certificate was added to keystore
```

Please open a case with Appian Support if you have any questions with any of these steps.

Workaround

If the certificate is injected by any specific application in the host machine, such as an antivirus or firewall, they can be configured or disabled in order to allow the connection.

Affected Versions

This article applies to all versions of Appian Cloud.

Last Reviewed: August 2023

Tags: java, Appian RPA, infrastructure, Certificate

[DRAFT SP-8344] KB-XXXX PKIX path building failed for Appian RPA agent connection due to a missing certificate in the Java Truststore

pauline.delacruz — Fri, 30 Jun 2023 16:30:58 GMT

Revision 3 posted to Appian Knowledge Base by pauline.delacruz on 6/30/2023 4:30:58 PM

Symptoms

When starting the Appian RPA agent, the icon is gray all the time, which means that there is no connection to the site. Frfom the jidoka-client.log in the same folder where the agent was installed, you will see the following trace:

|ERROR|com.novayre.jidoka.client.JidokaClient.connect:1043|java.io.IOException: Maximum retry attempts reached |...| java.io.IOException: Maximum retry attempts reached
…
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is usually occurs because there is a certificate not trusted by the JVM in your host machine for one of the following reasons:

The certificate is self-signed or signed by a private authority. This certificate could be injected by an external component like antivirus, firewall, proxy, etc.
The certificate is signed by a Public Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

Since the agent is running in the JVM, the certificate must be added to the Java Truststore. In order to identify the certificates missing, you can follow these steps:

Stop the agent.
Add the -Djavax.net.debug=all line to the AppianRPAagent.l4j.ini file. If this file does not exists in your Appian RPA agent folder, please create it.
Open a command line window and navigate to your Appian RPA agent folder.
Run the following command as is AppianRPAagent.exe > jidoka-client-ssl.log 2>&1
Stop the agent after ~30 seconds.
Remove the line previously added -Djavax.net.debug=all from the AppianRPAagent.l4j.ini.

trustStore is - You will find the path of the truststore used in your JVM.
adding as trusted certificates - After this sentence, you will find all the certificates currently included in your truststore.
PKIX path building failed - In the lines previous to this message, you can see the different certificates failed to be validated with the labels "Issuer" or "subject".

Once located the missing certificate, it needs to be added to the Java Truststore.

Locate the keystore location in the JRE.
Typically this keystore is at JAVA_HOME\jre\lib\security\ and the default file is cacerts.
Run the standard keytool to import the certificate,
JRE_HOME/bin/keytool -import -trustcacerts -alias <certAlias> -file <certFile> -keystore <trustStoreFilePath>

Please ensure you use the right values in <certAlias>, <certFile> and <trustStoreFilePath>
When prompted
```
Enter keystore password:
```
Default keystore password is: "changeit"
When prompted
```
Trust this certificate? [no]:
```
Enter "yes".

This imports the certificate into the keystore and displays the message:
```
Certificate was added to keystore
```

Please open a case with Appian Support if you have any questions with any of these steps.

Workaround

If the certificate is injected by any specific application in the host machine, such as an antivirus or firewall, they can be configured or disabled in order to allow the connection.

Affected Versions

This article applies to all versions of Appian Cloud.

Last Reviewed: June 2023

Tags: java, Appian RPA, infrastructure, Certificate

[DRAFT SP-8344] KB-XXXX PKIX path building failed for Appian RPA agent connection due to a missing certificate in the Java Truststore

pauline.delacruz — Fri, 23 Jun 2023 16:34:16 GMT

Revision 2 posted to Appian Knowledge Base by pauline.delacruz on 6/23/2023 4:34:16 PM

Symptoms

When starting the Appian RPA agent the icon is gray all the time, which means that there is no connection to the site. Looking into jidoka-client.log in the same folder where the agent was installed you will see the following trace:

|ERROR|com.novayre.jidoka.client.JidokaClient.connect:1043|java.io.IOException: Maximum retry attempts reached |...| java.io.IOException: Maximum retry attempts reached
…
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is usually caused because there is a certificate not trusted by the JVM in your host machine for one of the following reasons:

The certificate is self-signed or signed by a private authority. This certificate could be injected by an external component like antivirus, firewall, proxy, etc.
The certificate is signed by a Public Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

Since the agent is running in the JVM, the certificate must be added to the Java Truststore. In order to identify the certificates missing, you can follow these steps:

Stop the agent.
Add the -Djavax.net.debug=all line to the AppianRPAagent.l4j.ini file. If this file does not exists in your Appian RPA agent folder, please create it.
Open a command line window and navigate to your Appian RPA agent folder.
Run the following command as is AppianRPAagent.exe > jidoka-client-ssl.log 2>&1
Stop the agent after ~30 seconds.
Remove the line previously added -Djavax.net.debug=all from the AppianRPAagent.l4j.ini.

trustStore is - You will find the path of the truststore used in your JVM.
adding as trusted certificates - After this sentence, you will find all the certificates currently included in your truststore.
PKIX path building failed - In the lines previous to this message, you can see the different certificates failed to be validated with the labels "Issuer" or "subject".

Once located the missing certificate, it needs to be added to the Java Truststore.

Locate the keystore location in the JRE.
Typically this keystore is at JAVA_HOME\jre\lib\security\ and the default file is cacerts.
Run the standard keytool to import the certificate,
JRE_HOME/bin/keytool -import -trustcacerts -alias <certAlias> -file <certFile> -keystore <trustStoreFilePath>

Please ensure you use the right values in <certAlias>, <certFile> and <trustStoreFilePath>
When prompted
```
Enter keystore password:
```
Default keystore password is: "changeit"
When prompted
```
Trust this certificate? [no]:
```
Enter "yes".

This imports the certificate into the keystore and displays the message:
```
Certificate was added to keystore
```

Please open a case with Appian Support if you have any questions with any of these steps.

Workaround

If the certificate is injected by any specific application in the host machine, like antivirus or firewall they can be configured or disabled in order to allow the connection.

Affected Versions

This article applies to all versions of Appian Cloud.

Last Reviewed: June 2023

Tags: java, Appian RPA, infrastructure, Certificate

PKIX path building failed for Appian RPA agent connection due to a missing certificate in the Java Truststore

Juan Rodríguez — Sat, 03 Jun 2023 10:53:11 GMT

Revision 1 posted to Appian Knowledge Base by Juan Rodríguez on 6/3/2023 10:53:11 AM

Symptoms

|ERROR|com.novayre.jidoka.client.JidokaClient.connect:1043|java.io.IOException: Maximum retry attempts reached |...| java.io.IOException: Maximum retry attempts reached
…
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is usually caused because there is a certificate not trusted by the JVM in your host machine for one of the following reasons:

The certificate is self-signed or signed by a private authority. This certificate could be injected by an external component like antivirus, firewall, proxy, etc.
The certificate is signed by a Public Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

Since the agent is running in the JVM, the certificate must be added to the Java Truststore. In order to identify the certificates missing you can follow these steps:

Stop the agent.
Add the -Djavax.net.debug=all line to the AppianRPAagent.l4j.ini file. If this file does not exists in your Appian RPA agent folder, please create it.
Open a command line window and navigate to your Appian RPA agent folder.
Run the following command as is AppianRPAagent.exe > jidoka-client-ssl.log 2>&1
Stop the agent after ~30 seconds.
Remove the line previously added -Djavax.net.debug=all from the AppianRPAagent.l4j.ini.

Open the just generated jidoka-client-ssl.log to see all the information related with the communication attempt performed and all the certificates failed to validate.The following terms will help you finding the information required.

trustStore is - You will find the path of the truststore used in your JVM
adding as trusted certificates - After this sentence you will find all the certificates currently included in your truststore.
PKIX path building failed - In the lines previous to this message you can see the different certificates failed to be validated with the labels "Issuer" or "subject".

Once located the missing certificate, it needs to be added to the Java Truststore.

Locate the keystore location in the JRE.
Typically this keystore is at JAVA_HOME\jre\lib\security\ and the default file is cacerts.
Run the standard keytool to import the certificate,
JRE_HOME/bin/keytool -import -trustcacerts -alias <certAlias> -file <certFile> -keystore <trustStoreFilePath>

Please ensure you use the right values in <certAlias>, <certFile> and <trustStoreFilePath>
When prompted
```
Enter keystore password:
```
Default keystore password is: "changeit"
When prompted
```
Trust this certificate? [no]:
```
Enter "yes".

This imports the certificate into the keystore and displays the message:
```
Certificate was added to keystore
```

Please open a case with Appian Support if you have any questions with any of these steps.

Workaround

If the certificate is injected by any specific application in the host machine, like antivirus or firewall they can be configured or disabled in order to allow the connection.

Affected Versions

This article applies to all versions of Appian Cloud.

Last Reviewed: Jun 2023

Tags: java, Appian RPA, infrastructure, Certificate