cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

UEM HealthCheck Validate URL button returns an SSL Cert error?

dave_deleo
Inactive

Hi, I don't know the mechanism behind the UEM Healthcheck but the Validate URL button should be pretty straight forward in that either the url exists or does not. Is there more to it that it would return an SSL certification Error. If I use the URL in a browser I have no problems with that address. What would be the reasons why this error would occur on such a test? And how would you work around the SSL issue as the HealthCheck feature is out of the box - you can't really change how it works. In the three years of using UEM on several applications that use https:// I've never had this issue with the Validate URL test. I've also tried the address with https:// with the same results. Any help you can give to understanding this problem would be truly appreciated.

Thanks,

David

4 REPLIES 4

JamesKitson
Dynatrace Leader
Dynatrace Leader

If you visit the url you're checking in a browser does it warn you about any certificate or trust issues or display a warning near the https icon? I would guess the certificate being used on the site isn't signed by a trusted authority so we're rejecting it. If that is the case you might be able to fix it by adding the certificate to the cacerts file in the AppMon installation. Just a guess.

dave_deleo
Inactive

Thanks James! What's odd is I get no error when I enter that same url address into a browser. I did it in IE and I did it in Chrome and firefox. When I did it in Firefox it said it was verified by Comodo CA Limited. IE said pretty much the same but also said "This connection to the server is encrypted." And when I look at the certificate path in IE it say this Certificate is OK. But I will try adding the certificate to the cacerts file in the appMon installation to see if that works.

Thank you!

David

thomas_klambaue
Dynatrace Pro
Dynatrace Pro

Hi David,

the issue is typically which root certificates are trusted. One the one end, browsers like Chrome have their own set of root CAs (certificate authorities) that they trust which can be different from the ones used by the UEM health check.

We had our own set of problems with the COMODO SECURE™ CA; fingerprint
‎af e5 d2 44 a8 d1 19 42 30 ff 47 9f e2 f8 97 bb cd 7a 8c b4.

The reason for us was that this CA was not yet included in Java's 1.7.0_60 JRE cacerts keystore file.

Which version of AppMon are you using? If you upgrade AppMon you will also get a new Java JRE version which has a new set of CA certificates shipped, which may include new comodo CAs.

Eg http://www.oracle.com/technetwork/java/javase/8u51... says that new comodo CA certs were added with Java JRE 8u51 which translates to AppMon 6.3 and higher.

In short, likely this is resolved if you upgrade AppMon.

Best regards,

Thomas

dave_deleo
Inactive

Thanks Thomas! Wish I can say that was the answer as we are on 6.5. What I think I will do is to not use the UEM healthcheck on this particular application. But rather move on knowing the url is valid and try to get UEM working via testing the application web page directly, doing view source to see if insertion of the agent script tag is taking place, and using fiddler to see if the dynTraceMonitor is accessible. I have found in the past that UEM health check in general (not the URL validator button) is not always 100%. We have applications where UEM is working but it fails on the UEM healthcheck. So sometimes you have to be a little more creative. Thanks again for your help.

David