Enter Case number reference for associated cases.

Ticket #

Type: dynaTrace

Include any information that is for INTERNAL use only

https://dev-jira.dynatrace.org/browse/JLT-222775
https://dev-jira.dynatrace.org/browse/JLT-225727
https://dev-jira.dynatrace.org/browse/JLT-225749

Information:

Detail the contextual information specific to the issue; i.e. Product, Version, Agent, System, etc.

AppMon versionDate
6.5Sun Oct 28 11:44:30 CET 2018
7.0, 7.1Thu Mar 07 11:37:35 CET 2019

Describe the problem, from the user perspective

A newly installed AppMon deployment may run into this problem after Sun Oct 28 11:44:30 CET 2018 (version 6.5)  and after Thu Mar 07 11:37:35 CET 2019 (versions 7.0 and 7.1).


Frontend Server is not connecting to Backend Server, Collector is not connecting to Backend Server, Backend Server is not connecting to Memory Analysis Server and log entries similar to those below can be found in the corresponding logs:

FrontendServer.0.0.log

2018-10-29 14:07:25 SEVERE [ImportCertificateStrategy] certificate is expired and not already accepted for [localhost:2031_client]: com.dynatrace.diagnostics.httpclient.ssl.ImportCertificateStrategy handleExpiredCertificate:154
java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 28 11:44:30 CET 2018

2018-10-29 14:07:25 SEVERE [ImportCertificateStrategy] client did not accepted ssl client certificates. will not establish trust for [localhost:2031_client]: com.dynatrace.diagnostics.httpclient.ssl.ImportCertificateStrategy handleExpiredCertificate:165
java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 28 11:44:30 CET 2018

2018-10-29 14:07:25 WARNING [DynaTraceSSLSocketFactory] Unable to connect to :2031 probably untrusted certificate: com.dynatrace.diagnostics.communication.tcp.socket.ssl.DynaTraceSSLSocketFactory openAndConnectSocket:336
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: client did not accepted ssl client certificates. will not establish trust for [localhost:2031_client]


Server.0.0.log when trying to connect to Dynatrace Memory Analysis Server

2018-10-29 14:18:53 SEVERE [ImportCertificateStrategy] certificate is expired and not already accepted for [127.0.0.1:7788_client]: com.dynatrace.diagnostics.httpclient.ssl.ImportCertificateStrategy handleExpiredCertificate:154
java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 28 11:44:30 CET 2018

2018-10-29 14:18:53 SEVERE [ImportCertificateStrategy] client did not accepted ssl client certificates. will not establish trust for [127.0.0.1:7788_client]: com.dynatrace.diagnostics.httpclient.ssl.ImportCertificateStrategy handleExpiredCertificate:165
java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 28 11:44:30 CET 2018

2018-10-29 14:18:53 WARNING [DynaTraceSSLSocketFactory] Unable to connect to 127.0.0.1:7788 probably untrusted certificate: com.dynatrace.diagnostics.communication.tcp.socket.ssl.DynaTraceSSLSocketFactory openAndConnectSocket:336
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: client did not accepted ssl client certificates. will not establish trust for [127.0.0.1:7788_client]


Collector.0.0.log

2018-10-29 14:21:53 SEVERE [ImportCertificateStrategy] certificate is expired and not already accepted for [localhost:6699_client]: com.dynatrace.diagnostics.httpclient.ssl.ImportCertificateStrategy handleExpiredCertificate:154
java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 28 11:44:30 CET 2018

2018-10-29 14:21:53 SEVERE [ImportCertificateStrategy] client did not accepted ssl client certificates. will not establish trust for [localhost:6699_client]: com.dynatrace.diagnostics.httpclient.ssl.ImportCertificateStrategy handleExpiredCertificate:165
java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 28 11:44:30 CET 2018

2018-10-29 14:21:53 WARNING [DynaTraceSSLSocketFactory] Unable to connect to localhost:6699 probably untrusted certificate: com.dynatrace.diagnostics.communication.tcp.socket.ssl.DynaTraceSSLSocketFactory openAndConnectSocket:336
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: client did not accepted ssl client certificates. will not establish trust for [localhost:6699_client]

Clearly list the Steps to resolve the issue

There are multiple options available to solve the problem depending on the used AppMon version:

Renew the certificate on the server (6.5, 7.0, 7.1)

  1. Windows:
    • Download the AppMon KeyTool here.
    • The affected component(s) must have been started once, but for applying the fix, please stop the component.
    • Extract appmon-keytool.zip
    • Open Administrator cmd
    • Go into appmon-keytool\bin folder
    • Run the AppMon KeyTool like c:\appmon-keytool\bin>appmon-keytool.bat "C:\Program Files\Dynatrace\Dynatrace 6.5\server\conf" (Hint: The JRE running the AppMon KeyTool must have the same security policy as the JRE running the AppMon server. Most likely limited, otherwise a corresponding error message is logged)
    • Above steps are only required to be done on the server.
  2. Linux:
    • Download the AppMon KeyTool here.
    • The affected component(s) must have been started once, but for applying the fix, please stop the component.
    • Extract appmon-keytool.zip
    • Set the APP_HOME variable (pointing to appmon-keytool\bin)
    • Run the linux script from ./appmon-keytool /opt/dynatrace-7.1/server/conf
    • Above steps are only required to be done on the server.


Sample console output:

Okt 29, 2018 3:58:09 PM com.dynatrace.diagnostics.keystore.security.SecurityProvider ensureBCProviderIsAvailable
INFO: Security provider 'BC' has been added successfully at pos 11
Okt 29, 2018 3:58:17 PM com.dynatrace.diagnostics.keystore.AppMonKeyTool main
INFO: Successfully added newly generated private key and certificates to ServerKeyStore
Okt 29, 2018 3:58:17 PM com.dynatrace.diagnostics.keystore.AppMonKeyTool main
INFO: Successfully added newly generated private key and certificates to FrontendServerKeyStore
Okt 29, 2018 3:58:17 PM com.dynatrace.diagnostics.keystore.AppMonKeyTool main
INFO: Successfully added newly generated private key and certificates to AnalysisServerKeyStore
Okt 29, 2018 3:58:17 PM com.dynatrace.diagnostics.keystore.AppMonKeyTool main
SEVERE: Failed to add newly generated private key and certificates to CollectorKeyStore: Keystore files do not exist.
Okt 29, 2018 3:58:17 PM com.dynatrace.diagnostics.keystore.AppMonKeyTool main
SEVERE: Failed to add newly generated private key and certificates to ClientKeyStore: Keystore files do not exist.

Use updated installers (7.0, 7.1)

For AppMon 7.0 and 7.1, new "full install", "collector", "server" and "analysis server" packages have been published.

AppMonOld GA versionNew GA version
7.0 (2017 May)7.0.0.24697.0.0.2474
7.1 (2018 April)7.1.0.18037.1.0.1902

The new binaries are available at downloads.dynatrace.com.

Note the underlying reason for the problem

The shipped certificate is expired and thus no initial connection can be established for non-interactive components.