Importing the remote server SSL certificate(https) for use with the "Access URL", and similar actions.
When you attempt to access a URL that is 'https' using the 'Access URL' action, the agent will fail/halt with an error along the lines of:
"Handshake Failed / PKIX: Unable to build Certificate path..etc etc"
The above is an extremely short summary, but should suffice. Directions are here, for each operating system - very simple procedure:
Windows Server, or any other variant for that matter:
Section 1(Grab certificate from site(HTTPS only):
1. Open the site with the SSL certificate you want.
2. After you proceed to the site anyway, open the options for the SSL certificate(for displaying, exporting, etc) and click the link at the bottom for 'View Certificates'. FYI: This was found just to the right on my address bar.
3. A new menu will pop up, click the 'Details' tab, and then 'Copy to File' (bottom right most versions)
4. Now, ensure DER encoded binary X.509 is selected, then hit Next.
5. Put in a path to the desired filename(or browse to the location you want and save) - remember this location of course.
Section 2(Install certificate to local jre store for Agent(s):
1. Open a command prompt(WINDOWSKEY + R, enter 'cmd' no quotes)
2. Switch directories to the jre lib secuirty folder of the Agent, for example to switch assuming you are installed default path: cd "\path\to\NolioAgent\jre\lib\security" ( *** NOTE: You run 'dir' here, you should see a cacerts file in this directory ).
3. Now, import the .cer certificate we exported in the previous section, simply run the following:
keytool -importcert -file cert.cer -alias sscert1 -keystore cacerts
4. It will verify you want to import this as trusted, and may ask for a password(unless previously modified) - if so, enter 'changeit'
5. Restart the deployer/agent, re-attempt running the action changing nothing on the actions properties. This should be successful.
Linux, any variant for the most part:
Section 1(Grab certificate from site(HTTPS only):
1. Open the agent, or at least one of them, that will be doing the retrieval via https(SSL/TLS). switch to the working base installation directory of the agent(eg: /usr/bin/NolioAgent)
2. Retrieve the SSL certificate from the destination URL using OpenSSL:
openssl s_client -connect website.com:443 -showcerts
This will dump the certificate information, you should see an openssl cert fly by, just copy/paste the certificate, here is some proper example output:
-----BEGIN CERTIFICATE-----
MIID+jCCAuKgAwIBAgIDAjbSMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjI2MjEzMjMxWhcNMjAwMjI1MjEzMjMxWjBhMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UECxMURG9tYWluIFZh
bGlkYXRlZCBTU0wxGzAZBgNVBAMTEkdlb1RydXN0IERWIFNTTCBDQTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKa7jnrNpJxiV9RRMEJ7ixqy0ogGrTs8
KRMMMbxp+Z9alNoGuqwkBJ7O1KrESGAA+DSuoZOv3gR+zfhcIlINVlPrqZTP+3RE
60OUpJd6QFc1tqRi2tVI+Hrx7JC1Xzn+Y3JwyBKF0KUuhhNAbOtsTdJU/V8+Jh9m
cajAuIWe9fV1j9qRTonjynh0MF8VCpmnyoM6djVI0NyLGiJOhaRO+kltK3C+jgwh
w2LMpNGtFmuae8tk/426QsMmqhV4aJzs9mvIDFcN5TgH02pXA50gDkvEe4GwKhz1
SupKmEn+Als9AxSQKH6a9HjQMYRX5Uw4ekIR4vUoUQNLIBW7Ihq28BUCAwEAAaOB
2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIz02ZMKR7wAoErOS3VuoLaw
sn78MB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4ysxOMBIGA1UdEwEB/wQI
MAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5j
b20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzAB
hhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZIhvcNAQEFBQADggEBADOR
NxHbQPnejLICiHevYyHBrbAN+qB4VqOC/btJXxRtyNxflNoRZnwekcW22G1PqvK/
ISh+UqKSeAhhaSH+LeyCGIT0043FiruKzF3mo7bMbq1vsw5h7onOEzRPSVX1ObuZ
lvD16lo8nBa9AlPwKg5BbuvvnvdwNs2AKnbIh+PrI7OWLOYdlF8cpOLNJDErBjgy
YWE5XIlMSB1CyWee0r9Y9/k3MbBn3Y0mNhp4GgkZPJMHcCrhfCn13mZXCxJeFu1e
vTezMGnGkqX2Gdgd+DYSuUuVlZzQzmwwpxb79k1ktl8qFJymyFWOIPllByTMOAVM
IIi0tWeUz12OYjf+xLQ=
-----END CERTIFICATE-----
3. Then take this, and paste it into a file, we can call it, blah.crt in our case.
4. Next, we need to import this certificate into the jre cacerts trust store store.
a. Run the following:
1. keytool -importcert -file blah.crt -alias trustedCertEntry -keystore jre/lib/security/cacerts
When prompted for a password here, enter 'changeit' - certificate stored in blah.crt from earlier should not be stored in the jre truststore for the agent.
Note: if you have more than 1 deployer that needs to do this as well, simply copy the 'cacerts' file from the last command to the other agent(s), no restart required.
Attempt to access the URL again using the same action, it should now succeed.