[Java] PKIX sun.security.provider.certpath.SunCertPathBuilderException

After application startup newrelic_agent.log file is created (which is fine - i guess), but this is a content of this file:

2020-11-10T01:52:34,520+0000 [1 1] com.newrelic INFO: Writing to New Relic log file: /opt/logs/newrelic_agent.log
2020-11-10T01:52:34,524+0000 [1 1] com.newrelic INFO: JRE vendor AdoptOpenJDK version 11.0.9
2020-11-10T01:52:34,525+0000 [1 1] com.newrelic INFO: JVM vendor AdoptOpenJDK OpenJDK 64-Bit Server VM version 11.0.9+11
2020-11-10T01:52:34,525+0000 [1 1] com.newrelic INFO: OS Linux version 4.15.0-48-generic arch amd64
2020-11-10T01:52:34,526+0000 [1 1] com.newrelic INFO: Agent Host: 08fcc6a22fed IP: 172.25.0.3
2020-11-10T01:52:34,526+0000 [1 1] com.newrelic INFO: New Relic Agent v6.1.0 is initializing…
2020-11-10T01:52:36,382+0000 [1 15] com.newrelic INFO: Instrumentation com.newrelic.instrumentation.jdbc-resultset is disabled. Skipping.
2020-11-10T01:52:39,819+0000 [1 1] com.newrelic.agent.RPMServiceManagerImpl INFO: Configured to connect to New Relic at collector.eu01.nr-data.net:443
2020-11-10T01:52:41,154+0000 [1 1] com.newrelic INFO: Setting audit_mode to false
2020-11-10T01:52:42,247+0000 [1 1] com.newrelic.agent.config.ConfigServiceImpl INFO: Configuration file is /opt/./newrelic.yml
2020-11-10T01:52:42,305+0000 [1 1] com.newrelic INFO: New Relic Agent v6.1.0 has started
2020-11-10T01:52:42,306+0000 [1 1] com.newrelic INFO: Agent class loader: com.newrelic.bootstrap.BootstrapAgent$JVMAgentClassLoader@6c49835d
2020-11-10T01:52:42,306+0000 [1 1] com.newrelic INFO: Premain startup complete in 9,518ms
2020-11-10T01:53:16,923+0000 [1 1] com.newrelic INFO: Server Info: Apache Tomcat/9.0.16
2020-11-10T02:54:17,291+0100 [1 34] com.newrelic INFO: Host name is 08fcc6a22fed, display host 08fcc6a22fed for application [XXXXX]
2020-11-10T02:54:17,691+0100 [1 34] com.newrelic INFO: Unable to connect to New Relic due to an SSL error. Consider enabling -Djavax.net.debug=all to debug your SSL configuration such as your trust store.
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:350) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:293) ~[?:?]

What i’ve tried so far:

  • use_private_ssl option in yml
  • use another cacerts file
  • import importing digicert.pem into my keystore
  • set ca_bundle_path

What else i can try ?

Hi @kontakt16,

Sorry you’re running into issues! The good news is that since we’re seeing a log file created, then we know the agent is able to start. As you noticed, the error is related to SSL configurations.

I see you’re using version 6.1.0 and have an EU account. We made some changes to SSL certificates in 6.1.0 such as removing use_private_ssl Long story short, we reverted that change in 6.2.0. We also fixed an issue with EU certs.

My advice is:

A) Use the latest Java agent version or one that is 6.2.1 or above instead because it fixed the aforementioned issues with SSL certs.

B) Follow the guide here to either use the bundled certs or set your own.