Importing the remote server SSL certificate for use with the "Access URL", and similar actions (Linux and Windows).

Document created by nelje05 Employee on Mar 26, 2015
Version 1Show Document
  • View in full screen mode

Importing the remote server SSL certificate(https) for use with the "Access URL", and similar actions.



When you attempt to access a URL that is 'https' using the 'Access URL' action, the agent will fail/halt with an error along the lines of:


"Handshake Failed / PKIX: Unable to build Certificate path..etc etc"


The above is an extremely short summary, but should suffice.  Directions are here, for each operating system - very simple procedure:



Windows Server, or any other variant for that matter:


Section 1(Grab certificate from site(HTTPS only):



1. Open the site with the SSL certificate you want.

2. After you proceed to the site anyway, open the options for the SSL certificate(for displaying, exporting, etc) and click the link at the bottom for 'View Certificates'. FYI: This was found just to the right on my address bar.

3. A new menu will pop up, click the 'Details' tab, and then 'Copy to File' (bottom right most versions)

4. Now, ensure DER encoded binary X.509 is selected, then hit Next.

5. Put in a path to the desired filename(or browse to the location you want and save) - remember this location of course.


Section 2(Install certificate to local jre store for Agent(s):


1. Open a command prompt(WINDOWSKEY + R, enter 'cmd' no quotes)

2. Switch directories to the jre lib secuirty folder of the Agent, for example to switch assuming you are installed default path: cd "\path\to\NolioAgent\jre\lib\security" ( *** NOTE: You run 'dir' here, you should see a cacerts file in this directory ).

3. Now, import the .cer certificate we exported in the previous section, simply run the following:


         keytool -importcert -file cert.cer -alias sscert1 -keystore cacerts


4. It will verify you want to import this as trusted, and may ask for a password(unless previously modified) - if so, enter 'changeit'

5. Restart the deployer/agent, re-attempt running the action changing nothing on the actions properties. This should be successful.




Linux, any variant for the most part:


Section 1(Grab certificate from site(HTTPS only):


1. Open the agent, or at least one of them, that will be doing the retrieval via https(SSL/TLS).   switch to the working base installation directory of the agent(eg: /usr/bin/NolioAgent)

2. Retrieve the SSL certificate from the destination URL using OpenSSL:


openssl s_client -connect -showcerts


This will dump the certificate information, you should see an openssl cert fly by, just copy/paste the certificate, here is some proper example output:




























3. Then take this, and paste it into a file, we can call it, blah.crt in our case.

4. Next, we need to import this certificate into the jre cacerts trust store store.


a. Run the following:


1. keytool -importcert -file blah.crt -alias trustedCertEntry -keystore jre/lib/security/cacerts


When prompted for a password here, enter 'changeit' - certificate stored in blah.crt from earlier should not be stored in the jre truststore for the agent.


Note: if you have more than 1 deployer that needs to do this as well, simply copy the 'cacerts' file from the last command to the other agent(s), no restart required.



Attempt to access the URL again using the same action, it should now succeed.