KB-1187 "PKIX path building failed: error when attempting to make a call to an external server" error thrown when making web service calls over HTTPS or LDAPS

Symptoms

Making a web service call to an external server fails and the following is seen in the application server log:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

The certificate presented by the external server is not trusted by Appian because it has not been imported to the trust store.

Action

Cloud

If the connection to the external server originates from one of the services documented here, upload the certificate (.pem) to the Trusted Server Certificates section of the Admin Console. Otherwise:

  • If the certificate is self-signed, obtain a new certificate from a publicly-trusted CA.
  • If the certificate is already CA-signed, ensure that the external server is configured to present all intermediate certificates up to the CA root certificate.

Self-managed 

18.3 and later

If the connection to the external server originates from one of the services documented here, upload the certificate (.pem) to the Trusted Server Certificates section of the Admin Console. Otherwise, refer to the steps below to import the certificate into the Java trust store. Note: In Appian 19.1 and later, Java comes bundled with Appian so <APPIAN_HOME>/java should be used instead of JAVA_HOME.

18.2 and earlier

  1. Import the certificate into the default Java trust store:
    Linux
    $JAVA_HOME/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore $JAVA_HOME/jre/lib/security/cacerts
    Windows
    "%JAVA_HOME%\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore "%JAVA_HOME%\jre\lib\security\cacerts" 
    If importing multiple certificates, make sure that the alias is different for each command. The alias can be anything, usually the name this certificate was issued for.
  2. Verify that the import was successful:
    Linux
    $JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts | grep ##ALIASNAME##
    Windows
    "%JAVA_HOME%\bin\keytool" -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts" | findstr ##ALIASNAME## 
    The above command (without the | grep ##ALIASNAME## or | findstr ##ALIASNAME##) can also be used to check what certificates are currently in the trust store. These are the default trusted certificates that come up with a standard Appian Installation. 
  3. Restart the application server to deploy changes.

Note: certificates imported using the steps above will be cleared on site restart and need to be re-imported to the trust store.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: May 2023

Related
Recommended