Fixing 'unable to find valid certification path' errors
If your Extractor status is 'unlinked' and you see errors in your extractor log such as:
2019-09-24 23:55:27.060 INFO 25627 --- [uplink-thread-0] c.celonis.uplink.manager.UplinkManager : Uplink could not connect: I/O error on POST request for "https://team.eu-1.celonis.cloud/uplink/api/public/uplink": PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target --EOM--
There are a couple of possible causes but the first one outlined below is by far the most likely:
Your network overrides the standard certificates with its own when communicating with Celonis EMS:
Ask your network administrators whether a proxy server overrides the certificates, and request the root CA and intermediate certificate files. Alternatively, you can access the Celonis EMS in a browser from the extractor server and export the certificates from there.
Follow the instruction below - Importing Certificates - to import them.
Your Java package may not come with the root and intermediate CA certificates necessary to communicate with the Celonis EMS over HTTPS.
Visit https://letsencrypt.org/certificates/ and download the active root certificate and one of the active and backup intermediate certificates. Save them somewhere accessible by the Extractor Server
Follow the instruction in the section below - Importing Certificates - to import them
Importing the Certificates
From the command line on the extractor, server execute the following commands as an administrator. Restart the Extractor.
keytool -v -cacerts -storepass changeit -importcert -alias cel_root.pem -file ~/path/to/root_cert_file keytool -v -cacerts -storepass changeit -importcert -alias cel_inter.pem -file ~/path/to/intermediate_cert_file
Note
If the 'keytool' command cannot be found, first change directory to '/path/to/java/bin'
'changeit' is java's default keystore password, please use your own if you have changed it