Information:

Environment

AppMon versionDate
6.5Sun Oct 28 11:44:30 CET 2018
7.0Thu Mar 07 11:37:35 CET 2019
7.1Thu Mar 07 11:37:35 CET 2019
Symptoms

A newly installed AppMon deployment may run into this problem after Sun Oct 28 11:44:30 CET 2018.


Frontend Server is not connecting to Backend Server, Collector is not connecting to Backend Server, Backend Server is not connecting to Memory Analysis Server and log entries similar to those below can be found in the corresponding logs:

FrontendServer.0.0.log

2018-10-29 14:07:25 SEVERE [ImportCertificateStrategy] certificate is expired and not already accepted for [localhost:2031_client]: com.dynatrace.diagnostics.httpclient.ssl.ImportCertificateStrategy handleExpiredCertificate:154
java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 28 11:44:30 CET 2018

2018-10-29 14:07:25 SEVERE [ImportCertificateStrategy] client did not accepted ssl client certificates. will not establish trust for [localhost:2031_client]: com.dynatrace.diagnostics.httpclient.ssl.ImportCertificateStrategy handleExpiredCertificate:165
java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 28 11:44:30 CET 2018

2018-10-29 14:07:25 WARNING [DynaTraceSSLSocketFactory] Unable to connect to :2031 probably untrusted certificate: com.dynatrace.diagnostics.communication.tcp.socket.ssl.DynaTraceSSLSocketFactory openAndConnectSocket:336
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: client did not accepted ssl client certificates. will not establish trust for [localhost:2031_client]



Server.0.0.log when trying to connect to Dynatrace Memory Analysis Server

2018-10-29 14:18:53 SEVERE [ImportCertificateStrategy] certificate is expired and not already accepted for [127.0.0.1:7788_client]: com.dynatrace.diagnostics.httpclient.ssl.ImportCertificateStrategy handleExpiredCertificate:154
java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 28 11:44:30 CET 2018

2018-10-29 14:18:53 SEVERE [ImportCertificateStrategy] client did not accepted ssl client certificates. will not establish trust for [127.0.0.1:7788_client]: com.dynatrace.diagnostics.httpclient.ssl.ImportCertificateStrategy handleExpiredCertificate:165
java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 28 11:44:30 CET 2018

2018-10-29 14:18:53 WARNING [DynaTraceSSLSocketFactory] Unable to connect to 127.0.0.1:7788 probably untrusted certificate: com.dynatrace.diagnostics.communication.tcp.socket.ssl.DynaTraceSSLSocketFactory openAndConnectSocket:336
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: client did not accepted ssl client certificates. will not establish trust for [127.0.0.1:7788_client]



Collector.0.0.log

2018-10-29 14:21:53 SEVERE [ImportCertificateStrategy] certificate is expired and not already accepted for [localhost:6699_client]: com.dynatrace.diagnostics.httpclient.ssl.ImportCertificateStrategy handleExpiredCertificate:154
java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 28 11:44:30 CET 2018

2018-10-29 14:21:53 SEVERE [ImportCertificateStrategy] client did not accepted ssl client certificates. will not establish trust for [localhost:6699_client]: com.dynatrace.diagnostics.httpclient.ssl.ImportCertificateStrategy handleExpiredCertificate:165
java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 28 11:44:30 CET 2018

2018-10-29 14:21:53 WARNING [DynaTraceSSLSocketFactory] Unable to connect to localhost:6699 probably untrusted certificate: com.dynatrace.diagnostics.communication.tcp.socket.ssl.DynaTraceSSLSocketFactory openAndConnectSocket:336
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: client did not accepted ssl client certificates. will not establish trust for [localhost:6699_client]
Solution

  • Download the AppMon KeyTool here
  • The affected component(s) must have been started once, but for applying the fix, please stop the component.
  • Extract appmon-keytool.zip
  • Open Administrator cmd
  • Go into appmon-keytool\bin folder
  • Run the AppMon KeyTool like c:\appmon-keytool\bin>appmon-keytool.bat "C:\Program Files\Dynatrace\Dynatrace 6.5\server\conf" (Hint: The JRE running the AppMon KeyTool must have the same security policy as the JRE running the AppMon server. Most likely limited, otherwise a corresponding error message is logged)

Sample console output:

Okt 29, 2018 3:58:09 PM com.dynatrace.diagnostics.keystore.security.SecurityProvider ensureBCProviderIsAvailable
INFO: Security provider 'BC' has been added successfully at pos 11
Okt 29, 2018 3:58:17 PM com.dynatrace.diagnostics.keystore.AppMonKeyTool main
INFO: Successfully added newly generated private key and certificates to ServerKeyStore
Okt 29, 2018 3:58:17 PM com.dynatrace.diagnostics.keystore.AppMonKeyTool main
INFO: Successfully added newly generated private key and certificates to FrontendServerKeyStore
Okt 29, 2018 3:58:17 PM com.dynatrace.diagnostics.keystore.AppMonKeyTool main
INFO: Successfully added newly generated private key and certificates to AnalysisServerKeyStore
Okt 29, 2018 3:58:17 PM com.dynatrace.diagnostics.keystore.AppMonKeyTool main
SEVERE: Failed to add newly generated private key and certificates to CollectorKeyStore: Keystore files do not exist.
Okt 29, 2018 3:58:17 PM com.dynatrace.diagnostics.keystore.AppMonKeyTool main
SEVERE: Failed to add newly generated private key and certificates to ClientKeyStore: Keystore files do not exist.

Root Cause

The shipped certificate is expired and thus no connection can be established for non-interactive components.

 

 

  • No labels