Problem
When running any of the SeaLights agents, you may come across an error related to PKIx/SSL libraries. For example:
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake … javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed …
Cause
These errors could point to an issue with creating a secure connection to our server due to a misconfigured or missing certificate.
The missing certificate is often the Selaights Security certificate, but sometimes your own Corporate certificate.
The instructions below will detail the steps required to add the SeaLights certificate to your local Java Keystore.
Solution
Retrieve the SeaLights certificate from your dashboard:
While logged in, click on the “Lock” icon to the left of your address bar.
Export the certificate to your local machine:
On Windows: In the Details tab, click on Copy to File and ensure the exported certificate is in .cer/.der format
On Mac: Dragging the certificate icon to your desktop will export it
Make sure the certificate you’re downloading is issued by Amazon Web services. In some organizations, the firewall modifies/replaces the certificate and leds to continue facing the connectivity issue because the certificate will be marked as invalid. In this case, please contact Sealights Support to get a copy via email for example.
2. Add the certificate to the Java keystore:
keytool -importcert -alias your-alias -keystore cacerts.jks -file certificate.pem -storepass password
(Optional) Convert the .cer certificate file to .pem format:
In some cases, it may be necessary to convert the exported certificate to PEM format, so that it could be loaded into the JKS (Java Key Store). To do so, use the following command:
openssl x509 -inform der -in certificate.cer -out certificate.pem
The SeaLights certificate should be added to any Java keystore that communicates with SeaLights.
3. Validate the certificate was actually imported into the keystore file being used by the JVM with the following command: