KB-1187 "PKIX path building failed: error when attempting to make a call to an external server" error thrown when making web service calls over HTTPS or LDAPS

pauline.delacruz — Tue, 17 Mar 2026 15:40:30 GMT

Current Revision posted to Appian Knowledge Base by pauline.delacruz on 3/17/2026 3:40:30 PM

Symptoms

Making a web service call to an external server fails and the following is seen in the application server log:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

The certificate presented by the external server is not trusted by Appian because it has not been imported to the trust store.

Action

Cloud

If the connection to the external server originates from one of the services documented here, upload the certificate (.pem) to the Trusted Server Certificates section of the Admin Console. Otherwise:

If the certificate is self-signed, obtain a new certificate from a publicly-trusted CA.
If the certificate is already CA-signed, ensure that the external server is configured to present all intermediate certificates up to the CA root certificate.

Self-managed

18.3 and later

If the connection to the external server originates from one of the services documented here, upload the certificate (.pem) to the Trusted Server Certificates section of the Admin Console. Otherwise, refer to the steps below to import the certificate into the Java trust store. Note: In Appian 19.1 and later, Java comes bundled with Appian so <APPIAN_HOME>/java should be used instead of JAVA_HOME.

18.2 and earlier

Import the certificate into the default Java trust store:

Linux

$JAVA_HOME/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore $JAVA_HOME/jre/lib/security/cacerts

Windows

"%JAVA_HOME%\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore "%JAVA_HOME%\jre\lib\security\cacerts"

If importing multiple certificates, make sure that the alias is different for each command. The alias can be anything, usually the name this certificate was issued for.

Verify that the import was successful:
Linux
```
$JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts | grep ##ALIASNAME##
```
Windows
```
"%JAVA_HOME%\bin\keytool" -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts" | findstr ##ALIASNAME## 
```
The above command (without the | grep ##ALIASNAME## or | findstr ##ALIASNAME##) can also be used to check what certificates are currently in the trust store. These are the default trusted certificates that come up with a standard Appian Installation.
Restart the application server to deploy changes.

Note: Certificates imported using the steps above are cleared on hotfixes and upgrades, after which they need to be re-imported to the trust store.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: March 2026

Tags: administration, process models, integration, admin console, web services, Certificates

KB-1187 "PKIX path building failed: error when attempting to make a call to an external server" error thrown when making web service calls over HTTPS or LDAPS

Elly Meng — Thu, 18 May 2023 15:21:40 GMT

Revision 15 posted to Appian Knowledge Base by Elly Meng on 5/18/2023 3:21:40 PM

Symptoms

Making a web service call to an external server fails and the following is seen in the application server log:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

The certificate presented by the external server is not trusted by Appian because it has not been imported to the trust store.

Action

Cloud

If the certificate is self-signed, obtain a new certificate from a publicly-trusted CA.
If the certificate is already CA-signed, ensure that the external server is configured to present all intermediate certificates up to the CA root certificate.

Self-managed

18.3 and later

18.2 and earlier

Import the certificate into the default Java trust store:

Linux

$JAVA_HOME/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore $JAVA_HOME/jre/lib/security/cacerts

Windows

"%JAVA_HOME%\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore "%JAVA_HOME%\jre\lib\security\cacerts"

If importing multiple certificates, make sure that the alias is different for each command. The alias can be anything, usually the name this certificate was issued for.

Verify that the import was successful:
Linux
```
$JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts | grep ##ALIASNAME##
```
Windows
```
"%JAVA_HOME%\bin\keytool" -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts" | findstr ##ALIASNAME## 
```
The above command (without the | grep ##ALIASNAME## or | findstr ##ALIASNAME##) can also be used to check what certificates are currently in the trust store. These are the default trusted certificates that come up with a standard Appian Installation.
Restart the application server to deploy changes.

Note: certificates imported using the steps above will be cleared on site restart and need to be re-imported to the trust store.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: May 2023

Tags: administration, process models, integration, admin console, web services, Certificates

KB-1187 "PKIX path building failed: error when attempting to make a call to an external server" error thrown when making web service calls over HTTPS or LDAPS

Parmida Borhani — Thu, 06 Sep 2018 20:13:24 GMT

Revision 14 posted to Appian Knowledge Base by Parmida Borhani on 9/6/2018 8:13:24 PM

Symptoms

Making a call to an external server over HTTPS or LDAPS fails because the application server does not trust the CA which was used to sign the certificate the external server presents. The following error will be seen in the application server log:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is because the certificate being presented by the external server is not trusted by the application server for one of the following reasons:

The certificate is self-signed.
The certificate is signed by a Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

18.3 and later

Navigate to the Appian Administration Console.
Click on Certificates -> Trusted Certificates.
Click 'New Trusted Certificate' and upload the .pem formatted certificate file.

18.2 and earlier

Self-managed

Use the following command to import the certificate into the default JDK trust store:

Linux

$JAVA_HOME/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore $JAVA_HOME/jre/lib/security/cacerts

Windows

"%JAVA_HOME%\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore "%JAVA_HOME%\jre\lib\security\cacerts"

If importing multiple certificates, make sure that the alias is different for each command. The alias can be anything and is just a name in this case, usually the name this certificate was issued for.

To verify if the import has been done, run the following command:

Linux

$JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts | grep ##ALIASNAME##

Windows

"%JAVA_HOME%\bin\keytool" -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts" | findstr ##ALIASNAME##

The above command (without the | grep ##ALIASNAME## or | findstr ##ALIASNAME##) can also be used to check what certificates are currently in the trust store. These are the default trusted certificates that come up with a standard installation of Java.

After importing the certificate into the JDK trust store, perform an application server restart to load the certificate.

Cloud

Importing certificates into the Java TrustStore is not supported on Appian Cloud.

If you already have a CA-signed certificate, make sure your external server has all intermediate certificates up to the CA root certificate installed.
If you have a self-signed certificate, obtain a new CA-signed certificate from a certificate authority.
If this error is appearing while attempting to call a web service, try using the Advanced Call Web Service shared component.

Note: Anything provided in the App Market is provided as-is, and the functionality cannot be guaranteed by Appian.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: September 2018

Tags: administration, process models, integration, admin console, web services, Certificates

KB-1187 "PKIX path building failed: error when attempting to make a call to an external server" error thrown when making web service calls over HTTPS or LDAPS

Parmida Borhani — Thu, 06 Sep 2018 20:13:07 GMT

Revision 13 posted to Appian Knowledge Base by Parmida Borhani on 9/6/2018 8:13:07 PM

Symptoms

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is because the certificate being presented by the external server is not trusted by the application server for one of the following reasons:

The certificate is self-signed.
The certificate is signed by a Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

18.3 and later

Navigate to the Appian Administration Console.
Click on Certificates -> Trusted Certificates.
Click 'New Trusted Certificate' and upload the .pem formatted certificate file.

18.2 and earlier

On-Premise

Use the following command to import the certificate into the default JDK trust store:

Linux

$JAVA_HOME/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore $JAVA_HOME/jre/lib/security/cacerts

Windows

"%JAVA_HOME%\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore "%JAVA_HOME%\jre\lib\security\cacerts"

To verify if the import has been done, run the following command:

Linux

$JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts | grep ##ALIASNAME##

Windows

"%JAVA_HOME%\bin\keytool" -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts" | findstr ##ALIASNAME##

After importing the certificate into the JDK trust store, perform an application server restart to load the certificate.

Cloud

Importing certificates into the Java TrustStore is not supported on Appian Cloud.

If you already have a CA-signed certificate, make sure your external server has all intermediate certificates up to the CA root certificate installed.
If you have a self-signed certificate, obtain a new CA-signed certificate from a certificate authority.
If this error is appearing while attempting to call a web service, try using the Advanced Call Web Service shared component.

Note: Anything provided in the App Market is provided as-is, and the functionality cannot be guaranteed by Appian.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: September 2018

Tags: process models, integration, web services, Certificates

KB-1187 "PKIX path building failed: error when attempting to make a call to an external server" error thrown when making web service calls over HTTPS or LDAPS

Parmida Borhani — Thu, 06 Sep 2018 20:12:32 GMT

Revision 12 posted to Appian Knowledge Base by Parmida Borhani on 9/6/2018 8:12:32 PM

Symptoms

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is because the certificate being presented by the external server is not trusted by the application server for one of the following reasons:

The certificate is self-signed.
The certificate is signed by a Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

18.3 and later

Navigate to the Appian Administration Console.
Click on Certificates -> Trusted Certificates.
Click 'New Trusted Certificate' and upload the .pem formatted certificate file.

18.2 and earlier

On-Premise

Use the following command to import the certificate into the default JDK trust store:

Linux

$JAVA_HOME/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore $JAVA_HOME/jre/lib/security/cacerts

Windows

"%JAVA_HOME%\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore "%JAVA_HOME%\jre\lib\security\cacerts"

To verify if the import has been done, run the following command:

Linux

$JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts | grep ##ALIASNAME##

Windows

"%JAVA_HOME%\bin\keytool" -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts" | findstr ##ALIASNAME##

After importing the certificate into the JDK trust store, perform an application server restart to load the certificate.

Cloud

Importing certificates into the Java TrustStore is not supported on Appian Cloud.

If you already have a CA-signed certificate, make sure your external server has all intermediate certificates up to the CA root certificate installed.
If you have a self-signed certificate, obtain a new CA-signed certificate from a certificate authority.
If this error is appearing while attempting to call a web service, try using the Advanced Call Web Service shared component.

Note: Anything provided in the App Market is provided as-is, and the functionality cannot be guaranteed by Appian.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: September 2018

Tags: process models, integration, web services

KB-1187 "PKIX path building failed: error when attempting to make a call to an external server" error thrown when making web service calls over HTTPS or LDAPS

Parmida Borhani — Wed, 05 Sep 2018 21:21:13 GMT

Revision 11 posted to Appian Knowledge Base by Parmida Borhani on 9/5/2018 9:21:13 PM

Symptoms

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is because the certificate being presented by the external server is not trusted by the application server for one of the following reasons:

The certificate is self-signed.
The certificate is signed by a Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

On-Premise

Use the following command to import the certificate into the default JDK trust store:

Linux

$JAVA_HOME/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore $JAVA_HOME/jre/lib/security/cacerts

Windows

"%JAVA_HOME%\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore "%JAVA_HOME%\jre\lib\security\cacerts"

To verify if the import has been done, run the following command:

Linux

$JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts | grep ##ALIASNAME##

Windows

"%JAVA_HOME%\bin\keytool" -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts" | findstr ##ALIASNAME##

After importing the certificate into the JDK trust store, perform an application server restart to load the certificate.

Cloud

18.3 and later

Navigate to the Appian Administration Console.
Click on Certificates -> Trusted Certificates.
Click 'New Trusted Certificate' and upload the .pem formatted certificate file.

18.2 and earlier

Importing certificates into the Java TrustStore is not supported on Appian Cloud.

If you already have a CA-signed certificate, make sure your external server has all intermediate certificates up to the CA root certificate installed.
If you have a self-signed certificate, obtain a new CA-signed certificate from a certificate authority.
If this error is appearing while attempting to call a web service, try using the Advanced Call Web Service shared component.

Note: Anything provided in the App Market is provided as-is, and the functionality cannot be guaranteed by Appian.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: September 2018

Tags: process models, integration, web services

KB-1187 "PKIX path building failed: error when attempting to make a call to an external server" error thrown when making web service calls over HTTPS or LDAPS

Parmida Borhani — Mon, 23 Jul 2018 03:57:39 GMT

Revision 10 posted to Appian Knowledge Base by Parmida Borhani on 7/23/2018 3:57:39 AM

Symptoms

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is because the certificate being presented by the external server is not trusted by the application server for one of the following reasons:

The certificate is self-signed.
The certificate is signed by a Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

On-Premise

Use the following command to import the certificate into the default JDK trust store:

Linux

$JAVA_HOME/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore $JAVA_HOME/jre/lib/security/cacerts

Windows

"%JAVA_HOME%\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore "%JAVA_HOME%\jre\lib\security\cacerts"

To verify if the import has been done, run the following command:

Linux

$JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts | grep ##ALIASNAME##

Windows

"%JAVA_HOME%\bin\keytool" -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts" | findstr ##ALIASNAME##

After importing the certificate into the JDK trust store, perform an application server restart to load the certificate.

Cloud

Importing certificates into the Java TrustStore is not supported on Appian Cloud.

If you already have a CA-signed certificate, make sure your external server has all intermediate certificates up to the CA root certificate installed.
If you have a self-signed certificate, obtain a new CA-signed certificate from a certificate authority.
If this error is appearing while attempting to call a web service, try using the Advanced Call Web Service shared component.

Note: Anything provided in the app market is provided as-is, and the functionality cannot be guaranteed by Appian.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: May 2018

Tags: process models, integration, web services

KB-1187 "PKIX path building failed: error when attempting to make a call to an external server" error thrown when making web service calls over HTTPS or LDAPS

Nick Vigilante — Fri, 11 May 2018 09:55:11 GMT

Revision 9 posted to Appian Knowledge Base by Nick Vigilante on 5/11/2018 9:55:11 AM

Symptoms

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is because the certificate being presented by the external server is not trusted by the application server for one of the following reasons:

The certificate is self-signed.
The certificate is signed by a Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

On-Premise

Use the following command to import the certificate into the default JDK trust store:

Linux

$JAVA_HOME/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore $JAVA_HOME/jre/lib/security/cacerts

Windows

"%JAVA_HOME%\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore "%JAVA_HOME%\jre\lib\security\cacerts"

To verify if the import has been done, run the following command:

Linux

$JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts | grep ##ALIASNAME##

Windows

"%JAVA_HOME%\bin\keytool" -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts" | findstr ##ALIASNAME##

After importing the certificate into the JDK trust store, perform an application server restart to load the certificate.

Cloud

Importing certificates into the Java TrustStore is not supported on Appian Cloud.

If you already have a CA-signed certificate, make sure your external server has all intermediate certificates up to the CA root certificate installed.
If you have a self-signed certificate, obtain a new CA-signed certificate from a certificate authority.
If this error is appearing while attempting to call a web service, try using the Advanced Call Web Service shared component.

Note: Anything provided in the app market is provided as-is, and the functionality cannot be guaranteed by Appian.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: May 2018

Tags: process models, web services

KB-1187 "PKIX path building failed: error when attempting to make a call to an external server" error thrown when making web service calls over HTTPS or LDAPS

Nick Vigilante — Fri, 11 May 2018 09:52:46 GMT

Revision 8 posted to Appian Knowledge Base by Nick Vigilante on 5/11/2018 9:52:46 AM

Symptoms

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is because the certificate that’s being presented by the external server is not trusted by the application server for one of the following reasons:

The certificate is self-signed.
The certificate is signed by a Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

On-Premise

Use the following command to import the certificate into the default JDK trust store:

Linux

$JAVA_HOME/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore $JAVA_HOME/jre/lib/security/cacerts

Windows

"%JAVA_HOME%\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore "%JAVA_HOME%\jre\lib\security\cacerts"

To verify if the import has been done, run the following command:

Linux

$JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts | grep ##ALIASNAME##

Windows

"%JAVA_HOME%\bin\keytool" -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts" | findstr ##ALIASNAME##

After importing the certificate into the JDK trust store, perform an application server restart to load the certificate.

Cloud

Importing certificates is not supported on Appian Cloud.

If you already have a CA-signed certificate, make sure your external server has all intermediate certificates up to the CA root certificate installed.
If you have a self-signed certificate, obtain a new CA-signed certificate from a certificate authority.
If this error is appearing while attempting to call a web service, try using the Advanced Call Web Service shared component.

Note: Anything provided in the app market is provided as-is, and the functionality cannot be guaranteed by Appian.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: May 2018

Tags: process models, web services

KB-1187 "PKIX path building failed: error when attempting to make a call to an external server" error thrown when making web service calls over HTTPS or LDAPS

Nick Vigilante — Fri, 11 May 2018 09:48:47 GMT

Revision 7 posted to Appian Knowledge Base by Nick Vigilante on 5/11/2018 9:48:47 AM

Symptoms

Making a call to an external server over HTTPS or LDAPS fails because the JBoss server does not trust the CA which was used to sign the certificate the external server presents. The following error will be seen in the application server log:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is because the certificate that’s being presented by the external server is not trusted by the application server for one of the following reasons:

The certificate is self-signed.
The certificate is signed by a Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

On-Premise

Use the following command to import the certificate into the default JDK trust store:

Linux

$JAVA_HOME/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore $JAVA_HOME/jre/lib/security/cacerts

Windows

"%JAVA_HOME%\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore "%JAVA_HOME%\jre\lib\security\cacerts"

To verify if the import has been done, run the following command:

Linux

$JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts | grep ##ALIASNAME##

Windows

"%JAVA_HOME%\bin\keytool" -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts" | findstr ##ALIASNAME##

After importing the certificate into the JDK trust store, perform an application server restart to load the certificate.

Cloud

Importing certificates is not supported on Appian Cloud.

If you already have a CA-signed certificate, make sure your external server has all intermediate certificates up to the CA root certificate installed.

If you have a self-signed certificate, obtain a new CA-signed certificate from a certificate authority.

If this error is appearing while attempting to call a web service, try using the Advanced Call Web Service shared component.

Note: Anything provided in the app market is provided as-is, and the functionality cannot be guaranteed by Appian.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: May 2018

Tags: process models, web services

KB-1187 "The WSDL cannot be processed because the remote server certificate is invalid... unable to find valid certification path to requested target" error thrown when making web service calls

Parmida Borhani — Wed, 10 Jan 2018 17:56:06 GMT

Revision 6 posted to Appian Knowledge Base by Parmida Borhani on 1/10/2018 5:56:06 PM

Symptoms

Making web services calls over HTTPS fails because the JBoss server does not trust the CA which was used to sign the certificate the web service presents. The following errors will be seen in the application server log

INFO  [stdout] (ajp-/0.0.0.0:8009-7) com.appiancorp.ws.WSClientException: The WSDL cannot be processed because the remote server certificate is invalid.  Check that the certificate has not expired. (APNX-1-4045-005)

Caused by: com.appiancorp.ws.security.transport.HTTPTransportException: The WSDL cannot be processed because the remote server’s certificate is invalid.  Check that the certificate has not expired. (APNX-1-4045-005)

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is because the certificate that’s being presented is not trusted by the application server. You will have to obtain a certificate signed by a trusted authority instead of a self-signed certificate or import it into the JDK truststore using the keytool command.

Action

You will have to use the following command to import the certificate into the default JDK trust store:

Linux

$JAVA_HOME/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore $JAVA_HOME/jre/lib/security/cacerts

Windows

"%JAVA_HOME%\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore "%JAVA_HOME%\jre\lib\security\cacerts"

If you’re importing multiple certificates, make sure that the alias is different for each command. The alias can be anything and is just a name in this case, usually the name this certificate was issued for.

To verify if the import has been done, run the following command:

Linux

$JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts | grep ##ALIASNAME##

Windows

"%JAVA_HOME%\bin\keytool" -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts" | findstr ##ALIASNAME##

After importing the certificate into the JDK trust store, perform an application server restart to load the certificate.

Note: The above operations are currently not supported on Appian Cloud as you are not allowed to run any commands on the operating system. The workaround is to use the Advanced Call Web Service plug-in or to obtain a certificate from a trusted CA instead of using a self-signed one.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: January 2018

Tags: process models, web services

KB-1187 "The WSDL cannot be processed because the remote server certificate is invalid... unable to find valid certification path to requested target" error thrown when making web service calls

Parmida Borhani — Wed, 10 Jan 2018 17:54:23 GMT

Revision 5 posted to Appian Knowledge Base by Parmida Borhani on 1/10/2018 5:54:23 PM

Symptoms

INFO  [stdout] (ajp-/0.0.0.0:8009-7) com.appiancorp.ws.WSClientException: The WSDL cannot be processed because the remote server certificate is invalid.  Check that the certificate has not expired. (APNX-1-4045-005)

Caused by: com.appiancorp.ws.security.transport.HTTPTransportException: The WSDL cannot be processed because the remote server’s certificate is invalid.  Check that the certificate has not expired. (APNX-1-4045-005)

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

Action

You will have to use the following command to import the certificate into the default JDK trust store:

Linux

$JAVA_HOME/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore $JAVA_HOME/jre/lib/security/cacerts

Windows

"%JAVA_HOME%\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore "%JAVA_HOME%\jre\lib\security\cacerts"

To verify if the import has been done, run the following command:

Linux

$JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts | grep ##ALIASNAME##

Windows

"%JAVA_HOME%\bin\keytool" -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts" | findstr ##ALIASNAME##

After importing the certificate into the JDK trust store, perform an application server restart to load the certificate.

Affected Versions

This article applies to all versions of Appian with Linux as the underlying operating system.

Last Reviewed: January 2018

Tags: process models, web services

KB-1187 "The WSDL cannot be processed because the remote server certificate is invalid... unable to find valid certification path to requested target" error thrown when making web service calls

Parmida Borhani — Wed, 10 Jan 2018 17:53:55 GMT

Revision 4 posted to Appian Knowledge Base by Parmida Borhani on 1/10/2018 5:53:55 PM

Symptoms

INFO  [stdout] (ajp-/0.0.0.0:8009-7) com.appiancorp.ws.WSClientException: The WSDL cannot be processed because the remote server certificate is invalid.  Check that the certificate has not expired. (APNX-1-4045-005)

Caused by: com.appiancorp.ws.security.transport.HTTPTransportException: The WSDL cannot be processed because the remote server’s certificate is invalid.  Check that the certificate has not expired. (APNX-1-4045-005)

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

Action

You will have to use the following command to import the certificate into the default JDK trust store:

Linux

$JAVA_HOME/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore $JAVA_HOME/jre/lib/security/cacerts

Windows

"%JAVA_HOME%\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore "%JAVA_HOME%\jre\lib\security\cacerts"

To verify if the import has been done, run the following command:

Linux

$JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts | grep ##ALIASNAME##

Windows

"%JAVA_HOME%\bin\keytool" -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts" | findstr ##ALIASNAME##

The above command (without the | grep “##ALIASNAME##” or | findstr ##ALIASNAME##) can also be used to check what certificates are currently in the trust store. These are the default trusted certificates that come up with a standard installation of Java.

After importing the certificate into the JDK trust store, perform an application server restart to load the certificate.

Affected Versions

This article applies to all versions of Appian with Linux as the underlying operating system.

Last Reviewed: January 2018

Tags: process models, web services

KB-1187 "The WSDL cannot be processed because the remote server certificate is invalid... unable to find valid certification path to requested target" error thrown when making web service calls

Parmida Borhani — Wed, 10 Jan 2018 17:50:40 GMT

Revision 3 posted to Appian Knowledge Base by Parmida Borhani on 1/10/2018 5:50:40 PM

Symptoms

Making web services calls over https fails because the JBoss server does not trust the CA which was used to sign the certificate the web service presents. The following errors will be seen in the application server log

INFO  [stdout] (ajp-/0.0.0.0:8009-7) com.appiancorp.ws.WSClientException: The WSDL cannot be processed because the remote server certificate is invalid.  Check that the certificate has not expired. (APNX-1-4045-005)

Caused by: com.appiancorp.ws.security.transport.HTTPTransportException: The WSDL cannot be processed because the remote server’s certificate is invalid.  Check that the certificate has not expired. (APNX-1-4045-005)

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

Action

You will have to use the following command to import the certificate into the default JDK trust store:

Linux

$JAVA_HOME/bin/keytool -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore $JAVA_HOME/jre/lib/security/cacerts

Windows

"%JAVA_HOME%\bin\keytool" -import -trustcacerts -file #PATH TO FILE# -alias ##ALIASNAME## -keystore "%JAVA_HOME%\jre\lib\security\cacerts"

To verify if the import has been done, run the following command:

Linux

$JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts | grep ##ALIASNAME##

Windows

"%JAVA_HOME%\bin\keytool" -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts" | findstr ##ALIASNAME##

Note: The above operations are currently not supported on Appian Cloud as you are not allowed to run any commands on the operating system. The workaround would be to use the Advanced Call Web Service plug-in or to obtain a certificate from a trusted CA instead of using a self-signed one.

Affected Versions

This article applies to all versions of Appian with Linux as the underlying operating system.

Last Reviewed: January 2018

Tags: process models, web services

KB-1187 "The WSDL cannot be processed because the remote server certificate is invalid... unable to find valid certification path to requested target" error thrown when making web service calls

Nick Vigilante — Wed, 26 Jul 2017 08:53:33 GMT

Revision 2 posted to Appian Knowledge Base by Nick Vigilante on 7/26/2017 8:53:33 AM

Symptoms

INFO  [stdout] (ajp-/0.0.0.0:8009-7) com.appiancorp.ws.WSClientException: The WSDL cannot be processed because the remote server certificate is invalid.  Check that the certificate has not expired. (APNX-1-4045-005)

Caused by: com.appiancorp.ws.security.transport.HTTPTransportException: The WSDL cannot be processed because the remote server’s certificate is invalid.  Check that the certificate has not expired. (APNX-1-4045-005)

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

Action

You will have to use the following command to import the certificate into the default JDK truststore:

keytool -import -trustcacerts -file #PATH TO FILE# -alias appiantest -keystore $JAVA_HOME/jre/lib/security/cacerts

If you’re importing multiple certificates, make sure that the alias is different for each command. The alias can be anything and is just a name in this case.

To verify if the import has been done, run the following command

$JAVA_HOME/bin/keytool -list -keystore ./cacerts | grep “##ALIASNAME##”

The above command (without the | grep “##ALIASNAME##”)can also be used to check what certificates are currently in the truststore. These are the default CA that come up with a standard installation of java.

Affected Versions

This article applies to all versions of Appian with Linux as the underlying operating system.

Last Reviewed: March 2017

Tags: process models, web services