Vault and AD Connector registration fails due to Proxy server certificate requirement
During the Vault or AD Connector registration, you may encounter an error that is caused by a proxy certificate that is not in place. This article explains how to troubleshoot and resolve a proxy server certificate issue.
How to identify the problem
You might encounter the following error during Vault / AD Connector registration:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Log phrase to look for: "unable to find valid certification path to requested target"
What caused this problem?
The proxy server is intercepting SSL traffic between client and server.
Explanation taken from Charles Proxy website:
"Instead of your browser seeing the server’s certificate, the Proxy dynamically generates a certificate for the server and signs it with its own root certificate (the Proxy CA Certificate). The Proxy receives the server’s certificate, while your browser receives the Proxy’s certificate. Therefore you will see a security warning, indicating that the root authority is not trusted. If you add the Proxy CA Certificate to your trusted certificates you will no longer see any warnings"
How do I resolve this problem?
To resolve this problem, you need to install the proxy server root CA certificate into the application's trusted CA certificate store. You can do this by running the following command:
"C:\Program Files\Cibecs\ADConnector\jre\bin\keytool" -importcert -trustcacerts -keystore "C:\Program Files\Cibecs\ADConnector\jre\lib\security\cacerts" -alias proxyCert -file proxyCaCert.pem
Check if the problem has been fixed
If the problem has been fixed successfully, then you should be able to register the application with Endpoint Cloud.
You can find out about the AD Connector in this article: