[Java] Unable to connect to New Relic due to an SSL error - Javaagent 6.4.2

I am getting the below error on start up. I’m using newrelic-agent-6.4.2.jar. And have added certificates (DigiCertRoot & one.newrelic.com) to jdk truststore.

Tried the following the ways to avoid the error:

  1. use_private_ssl = true > Threw certificate expired error and then PKIX SunCertPathBuilderException

  2. ca_bundle_path: certfile.pem

  3. When I do not use the above two options, I do not get the certificate expired message but still it does throw : Failed to connect to collector.newrelic.com:443 for POSSpringBootTemplate: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Here is the DigiRootCertificate details from my jdk truststore:

Alias name: newrelic.com
Creation date: Apr 30, 2021
Entry type: trustedCertEntry

Owner: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: 83be056904246b1a1756ac95991c74a
Valid from: Fri Nov 10 05:30:00 IST 2006 until: Mon Nov 10 05:30:00 IST 2031
Certificate fingerprints:
	 MD5:  79:E4:A9:84:0D:7D:3A:96:D7:C0:4F:E2:43:4C:89:2E
	 SHA1: A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
	 SHA256: 43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:26:DB:25:7F:89:34:A4:43:C7:01:61
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions: 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB   66 F0 A3 E2 1B 1B C3 97  ..P5V.L.f.......
0010: B2 3D D1 55                                        .=.U
]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB   66 F0 A3 E2 1B 1B C3 97  ..P5V.L.f.......
0010: B2 3D D1 55                                        .=.U
]
] 

2021-05-03T08:26:43,146+0000 [1 30] com.newrelic INFO: Unable to connect to New Relic due to an SSL error. Consider enabling -Djavax.net.debug=all to debug your SSL configuration such as your trust store.
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:1.8.0_275]


*******************************************
*******************************************


Alias name: one.newrelic.com.cer
Creation date: May 4, 2021
Entry type: trustedCertEntry

Owner: CN=*.newrelic.com, O="New Relic, Inc.", L=San Francisco, ST=California, C=US
Issuer: CN="Zscaler Intermediate Root CA (zscaler.net) (t) ", OU=Zscaler Inc., O=Zscaler Inc., ST=California, C=US
Serial number: 608eabe9d57e749a4a212b1196c4eed6
Valid from: Sat May 01 09:44:01 IST 2021 until: Sat May 15 09:44:01 IST 2021
Certificate fingerprints:
	 MD5:  31:18:22:48:81:E1:F9:64:66:D0:AA:80:2A:CA:B1:05
	 SHA1: 08:BF:D6:C2:23:27:70:56:8B:16:81:97:EB:A8:AA:C5:10:DC:0B:9F
	 SHA256: 63:10:54:2F:EA:0D:79:C6:FC:A6:DD:EE:68:F3:89:81:41:7C:34:0E:46:7C:1D:84:07:2F:D1:FC:20:32:B9:AD
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions: 

#1: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
0000: 04 81 F3 00 F1 00 77 00   46 A5 55 EB 75 FA 91 20  ......w.F.U.u.. 
0010: 30 B5 A2 89 69 F4 F3 7D   11 2C 41 74 BE FD 49 B8  0...i....,At..I.
0020: 85 AB F2 FC 70 FE 6D 47   00 00 01 77 E0 00 D3 00  ....p.mG...w....
0030: 00 00 04 03 00 48 30 46   02 21 00 BA 96 AD E3 75  .....H0F.!.....u
0040: 10 74 05 89 7D A7 72 A0   E2 D1 A3 E0 39 95 40 48  .t....r.....9.@H
0050: 83 4A 6E 53 21 FC F9 5E   82 16 1C 02 21 00 B9 4F  .JnS!..^....!..O
0060: 25 50 DD 97 B3 09 A8 D1   DE F9 0D 20 5F E5 AE 5E  %P......... _..^
0070: 90 3F D1 0E 33 41 8E 8C   A3 01 A3 F9 11 1D 00 76  .?..3A.........v
0080: 00 22 45 45 07 59 55 24   56 96 3F A1 2F F1 F7 6D  ."EE.YU$V.?./..m
0090: 86 E0 23 26 63 AD C0 4B   7F 5D C6 83 5C 6E E2 0F  ..#&c..K.]..\n..
00A0: 02 00 00 01 77 E0 00 D2   DE 00 00 04 03 00 47 30  ....w.........G0
00B0: 45 02 21 00 86 07 E4 C6   05 55 4D 2C 47 7C 54 48  E.!......UM,G.TH
00C0: 20 04 45 58 CE 39 52 9F   06 01 E8 04 72 3D E8 97   .EX.9R.....r=..
00D0: C4 9E 72 84 02 20 19 3D   8E 3C 59 A1 F3 30 FC 1B  ..r.. .=.<Y..0..
00E0: F2 5C FF AF 46 B2 14 79   8E 77 22 65 EB F9 31 70  .\..F..y.w"e..1p
00F0: 1E 04 BC 86 B6 DB                                  ......


#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#3: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
 [URIName: http://gateway.zscaler.net/zscaler-zscrl--4.crl]
]]

#4: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#5: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#6: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: *.newrelic.com
  DNSName: newrelic.com
]

*******************************************
*******************************************

Please let me know what I’m missing here. Thanks

I tried changing the newrelic agent version to 6.5.0. Removed the use_private_ssl property from the newrelic.yaml. Added [DigiCert Global Root CA] pem to the JDK truststore.

Unfortunately, I still get SSL error.

2021-05-05T10:14:25,272+0000 [1 30] com.newrelic INFO: Unable to connect to New Relic due to an SSL error. Consider enabling -Djavax.net.debug=all to debug your SSL configuration such as your trust store.
templateapp_1  | javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I am able to curl https://one.newlic.com successfully from machine, just fyi

I start my application using docker compose. Do I have to add the certificates while building the docker image?

Is there anything additionally to be done to connect? Please share your thoughts.