KB-1187 "PKIX path building failed: error when attempting to make a call to an external server" error thrown when making web service calls over HTTPS or LDAPS

Symptoms

Making a call to an external server over HTTPS or LDAPS fails because the application server does not trust the CA which was used to sign the certificate the external server presents. The following error will be seen in the application server log:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is because the certificate being presented by the external server is not trusted by the application server for one of the following reasons:

  1. The certificate is self-signed.
  2. The certificate is signed by a Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

18.3 and later

  1. Navigate to the Appian Administration Console.
  2. Click on Certificates -> Trusted Certificates.
  3. Click 'New Trusted Certificate' and upload the .pem formatted certificate file.

18.2 and earlier

On-Premise

Use the following command to import the certificate into the default JDK trust store:

Linux

$JAVA_HOME/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore $JAVA_HOME/jre/lib/security/cacerts

Windows

"%JAVA_HOME%\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore "%JAVA_HOME%\jre\lib\security\cacerts"

If importing multiple certificates, make sure that the alias is different for each command. The alias can be anything and is just a name in this case, usually the name this certificate was issued for.

To verify if the import has been done, run the following command:

Linux

$JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts | grep ##ALIASNAME##

Windows

"%JAVA_HOME%\bin\keytool" -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts" | findstr ##ALIASNAME##

The above command (without the | grep ##ALIASNAME## or | findstr ##ALIASNAME##) can also be used to check what certificates are currently in the trust store. These are the default trusted certificates that come up with a standard installation of Java.

After importing the certificate into the JDK trust store, perform an application server restart to load the certificate.

Cloud

Importing certificates into the Java TrustStore is not supported on Appian Cloud.

  • If you already have a CA-signed certificate, make sure your external server has all intermediate certificates up to the CA root certificate installed.
  • If you have a self-signed certificate, obtain a new CA-signed certificate from a certificate authority.
  • If this error is appearing while attempting to call a web service, try using the Advanced Call Web Service shared component.

Note: Anything provided in the App Market is provided as-is, and the functionality cannot be guaranteed by Appian.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: September 2018

Related
Recommended