Skip to main content

Celonis Product Documentation

Fixing 'unable to find valid certification path' errors

If your Extractor status is 'unlinked' and you see errors in your extractor log such as:

2019-09-24 23:55:27.060  INFO 25627 --- [uplink-thread-0] c.celonis.uplink.manager.UplinkManager   : Uplink could not connect: I/O error on POST request for "https://team.eu-1.celonis.cloud/uplink/api/public/uplink": PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target --EOM--

There are a couple of possible causes but the first one outlined below is by far the most likely:

  1. Your network overrides the standard certificates with its own when communicating with Celonis EMS:

    1. Ask your network administrators whether a proxy server overrides the certificates, and request the root CA and intermediate certificate files. Alternatively, you can access the Celonis EMS in a browser from the extractor server and export the certificates from there.

    2. Follow the instruction below - Importing Certificates - to import them.

  2. Your Java package may not come with the root and intermediate CA certificates necessary to communicate with the Celonis EMS over HTTPS.

    1. Visit https://letsencrypt.org/certificates/ and download the active root certificate and one of the active and backup intermediate certificates. Save them somewhere accessible by the Extractor Server

    2. Follow the instruction in the section below - Importing Certificates - to import them

Importing the Certificates

From the command line on the extractor, server execute the following commands as an administrator. Restart the Extractor.

keytool -v -cacerts -storepass changeit -importcert -alias cel_root.pem -file ~/path/to/root_cert_file
keytool -v -cacerts -storepass changeit -importcert -alias cel_inter.pem -file ~/path/to/intermediate_cert_file

Note

  • If the 'keytool' command cannot be found, first change directory to '/path/to/java/bin'

  • 'changeit' is java's default keystore password, please use your own if you have changed it