TLS/SSL Troubleshooting

If you experience any TLS/SSL issues, check whether this comes from one of the known issues and see the solution suggestions listed here.

Important! Check Broadcom's Enterprise Software Academy. There is a course available for this topic. For more information, see the Education section at the end of this topic.

This page includes the following:

Aliases Do not Match

Problem: The alias configured the INI file of the Automation Engine (ucsrv.ini) does not match the one used when the key/keystore was created.

Error:

U00045014 Exception 'com.automic.agents.impl.TlsKeystoreReader$InvalidKeystoreException: "com.automic.agents.impl.TlsKeystoreReader$InvalidKeystoreException"' at 'com.automic.agents.impl.TlsKeystoreReader.tryToLoadKey():89'.

U00045015 The previous error was caused by 'com.automic.agents.impl.TlsKeystoreReader$InvalidKeystoreException: "null"' at 'com.automic.agents.impl.TlsKeystoreReader.tryToLoadKey():85'.

Solution: Make sure that the same aliases are set before starting the JCP.

More information:

Certificate Cannot be Used for Server Authentication

Problem: The certificate configured on the JCP, AWI, or Agent side cannot be used for server authentication.

AWI Error:

sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS server authentication

Solution: You can either get a new certificate that can be used for server authentication or, if you use the extended key in the certificate, make sure that the extended key usage includes TLS server authentication.

Certificate Does not Include Domains/Hostnames Required

Problem: The certificate configured on the JCP / AWI side does not include all required domains/hostnames.

Errors:

  • AWI

    java.util.concurrent.ExecutionException: java.io.IOException: Failed to connect to myserver:8443
    Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine 
    problem
    …
    Caused by: java.security.cert.CertificateException: No subject 
    alternative DNS name matching myserver found.
    at sun.security.util.HostnameChecker.matchDNS(Unknown Source)
    
  • Java-based Agents and TLS Gateway:

    U02000385 Web socket error: 'No subject alternative DNS name matching 
    myserver found.'.
    javax.net.ssl.SSLHandshakeException: No subject alternative DNS name 
    matching myserver found.
    Caused by java.security.cert.CertificateException: No subject alternative DNS name matching myserver found.
    java.util.concurrent.ExecutionException: 
    javax.net.ssl.SSLHandshakeException: No subject alternative DNS name 
    matching myserver found.
    Caused by javax.net.ssl.SSLHandshakeException: No subject alternative 
    DNS name matching myserver found.
    Caused by java.security.cert.CertificateException: No subject 
    alternative DNS name matching myserver found.
    U02000380 Could not connect to server 'myserver:8443'.
    
  • Windows Agent:

    U02001073 Certificate verification for Issuer '/C=AT/ST=Vienna/L=Vienna/O=Broadcom/OU=Automic/CN=Automic 
    CA/emailAddress=myemail@broadcom.com', Subject '/C=AT/ST=Vienna/L=Vienna/O=Broadcom/OU=Automic/CN=Automic 
    CA/emailAddress=myemail@broadcom.com' failed.
    U02000406 Connection does not match certificate. Connection provided is: myserver:8443'.
    U02000327 Unexpected error on connection '*SERVER' (socket handle = '680'), reason '"category: 'asio.ssl', (337047686) certificate verify failed"'.
    

Solution: Make sure that the certificate configured on the JCP / AWI side include all domains/hostnames of the systems used by Automic. This is especially important when having multiple network cards or JCPs running on different machines.

More information:

Certificate Expired

Problem: The certificate included in the configured keystore has expired.

Error:

U00045393 SSL Certificate invalid: The validity period of the certificate has expired or not yet reached.

Solution: Renew the certificate before starting the JCP.

More information:

Certificates not Found or Do not Match

Problem: The certificate that the respective component (AWI, TLS/SSL Agent, TLS Gateway) uses to establish the TLS/SSL connection to the Automation Engine cannot be found or it does not match the certificate configured on the server side.

Errors:

  • AWI

    [com.uc4.ecc.backends.impl.dataservice.connection.ConnectionService] - 
    Connection to Automation Engine failed at 'myserver:8443'.
    java.util.concurrent.ExecutionException: java.io.IOException: Failed to 
    connect to myserver:8443
    …
    Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine 
    Problem
    …
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: 
    sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    
  • Java-based Agents and TLS Gateway:

    U02000385 Web socket error: 'PKIX path building failed: 
    sun.security.provider.certpath.SunCertPathBuilderException: unable to 
    find valid certification path to requested target'.
    javax.net.ssl.SSLHandshakeException: PKIX path building failed: 
    sun.security.provider.certpath.SunCertPathBuilderException: unable to 
    find valid certification path to requested target
    Caused by javax.net.ssl.SSLHandshakeException: PKIX path building 
    failed: sun.security.provider.certpath.SunCertPathBuilderException: 
    unable to find valid certification path to requested target
    U02000380 Could not connect to server 'myserver:8443'.
    Connecting to system 'UC4' is not possible.
    com.uc4.ex.cp.InitialConnectionException: Initial connection with 
    endpoint not possible. Please check your configuration.
    
  • Windows Agent:

    U02001073 Certificate verification for Issuer 
    '/C=AT/ST=Vienna/L=Vienna/O=Broadcom/OU=Automic/CN=Automic 
    CA/emailAddress=myemail@broadcom.com', Subject 
    '/C=AT/ST=Vienna/L=Vienna/O=Broadcom/OU=Automic/CN=Automic 
    CA/emailAddress=myemail@broadcom.com' failed.
    U02000327 Unexpected error on connection '*SERVER' (socket handle = 
    '788'), reason '"category: 'asio.ssl', (337047686) certificate verify 
    failed"'.
    20210706/152850.714 - U02000343 Server connection has been closed.
    20210706/152851.730 - U02000302 Agent shutdown has been initiated with 
    return code '68'.
    
  • UNIX Agent:

    U02000313 Communication error with partner '*SERVER', error: 
    'TLS-handshake/337047686(certificate verify failed)'.
    U02000010 Connection to Server 'UC4/198.51.100.2:8443' terminated.
    

Solution: Open the certificate configured for the respective component and check that it matches the one in the JCP keystore (Issuer, Subject, Validity, and so on).

If you use UNIX Agents and certificates signed by a Certificate Authority (CA), make sure that the folder used by the Agent to access the trusted certificates exists and contains the required root certificates. If the path is not one of the defaults, it can be configured via the SSLCertDir= or SSLCertFile= INI parameters.

More information:

Incorrect Port Definition

Problem: A component (AWI, TLS/SSL Agent, TLS Gateway) tries to connect to port 2217, which is not the port where the JCP is reachable. The default port defined for the JCP in the INI file of the Automation Engine is 8443.

Errors:

  • AWI:

    java.util.concurrent.ExecutionException: java.io.IOException: Failed to 
    connect to myserver:2217
    …
    Caused by: javax.net.ssl.SSLHandshakeException: Unrecognized SSL 
    message, plaintext connection?
    
  • Java-based Agents and TLS Gateway:

    U02000385 Web socket error: 'Unrecognized SSL message, plaintext connection?'.
    javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
    java.util.concurrent.ExecutionException: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
    Caused by javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
    U02000380 Could not connect to server 'myserver:2217'.
    
  • Windows Agent:

    U02000379 Initiating connection to server 'myserver:2217' using WebSocket URI: 'wss://198.51.100.2:2217//agent'.
    U02000072 Connection to system 'UC4' initiated.
    U02000327 Unexpected error on connection '*SERVER' (socket handle = '752'), reason '"category: 'asio.ssl', 
    (336130315) wrong version number"'.
    U02000343 Server connection has been closed.
    U02000302 Agent shutdown has been initiated with return code '68'.
    
  • UNIX Agent:

    U02000313 Communication error with partner '*SERVER', error: 
    'TLS-handshake/336130315(wrong version number)'.
    U02000010 Connection to Server 'UC4/10.49.164.113:2217' terminated.
    

Solution: Make sure that the relevant file (Agent or TLS Gateway INI file or AWI uc4config.xml file is configured correctly:

  • The hostname used in the configuration file must match the name in the certificate.

  • Make sure you are using the JCP default port 8443 and that is has not been overwritten. Check the WS.PORT parameter in the INI file of the Automation Engine.

  • Make sure the JCP is running.

  • You might have to add a fully qualified domain to the hostname/IP in the configuration file (such as vviecapam01.sbb01.spoc.global).

More information:

Invalid Keystore Format

Problem: The default Algorithm used to encrypt a certificate has been changed.

Error:

U00045014 Exception 'java.io.IOException: "Invalid keystore format"' at 'sun.security.provider.JavaKeyStore.engineLoad():666'.

Solution: Make sure you are using a Java Runtime Environment as specified in the compatibility matrix. For more information, see compatibility matrix.

See also:

Compatibility Information

Key Passwords Do not Match

Problem: The key password configured the INI file of the Automation Engine (ucsrv.ini) does not match the one used when the private key was created.

Error:

U00045014 Exception 'com.automic.agents.impl.TlsKeystoreReader$InvalidKeystoreException: "java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption."' at 'com.automic.agents.impl.TlsKeystoreReader.tryToLoadKey():89'.

U00045015 The previous error was caused by 'java.security.UnrecoverableKeyException: "Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption."' at 'sun.security.pkcs12.PKCS12KeyStore.engineGetKey():462'.

U00045015 The previous error was caused by 'javax.crypto.BadPaddingException: "Given final block not properly padded. Such issues can arise if a bad key is used during decryption."' at 'com.sun.crypto.provider.CipherCore.unpad():975'.

Solution: Make sure that the same passwords are set before starting the JCP.

More information:

Keystore File Does not Exist

Problem: The keystore file configured in the INI file of the Automation Engine (ucsrv.ini) does not exist.

Error:

U00045014 Exception 'com.automic.agents.impl.TlsKeystoreReader$InvalidKeystoreException: "java.io.FileNotFoundException: .\httpsKeyfile (The system cannot find the file specified)"' at 'com.automic.agents.impl.TlsKeystoreReader.tryToLoadKey():89'.

U00045015 The previous error was caused by 'java.io.FileNotFoundException: ".\httpsKeyfile (The system cannot find the file specified)"' at 'java.io.FileInputStream.open0()'.

Solution: Set the correct location of the PKCS#12 keystore to be used by the JCP when starting.

More information:

Keystore Passwords Do not Match

Problem: The keystore password configured the INI file of the Automation Engine (ucsrv.ini) does not match the one used when the keystore was created.

Error:

U00045014 Exception 'com.automic.agents.impl.TlsKeystoreReader$InvalidKeystoreException: "java.io.IOException: keystore password was incorrect"' at 'com.automic.agents.impl.TlsKeystoreReader.tryToLoadKey():89'.

U00045015 The previous error was caused by 'java.io.IOException: "keystore password was incorrect"' at 'sun.security.pkcs12.PKCS12KeyStore.engineLoad():2108'.

U00045015 The previous error was caused by 'java.security.UnrecoverableKeyException: "failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption."' at 'sun.security.pkcs12.PKCS12KeyStore.engineLoad():2108'.

Solution: Make sure that the same passwords are set before starting the JCP.

More information:

Unable to Reach the JCP

Problem: One of the components (AWI, TLS/SSL Agent, TLS Gateway) is not able to reach the JCP.

Errors:

  • AWI:

    java.util.concurrent.ExecutionException: java.io.IOException: Failed to 
    connect to myserver:8443
    … 
    Caused by: java.io.IOException: Failed to connect to myserver:8443
    at 
    com.uc4.communication.WebSocketConnection.<init>(WebSocketConnection.ja
    va:234)
    at com.uc4.communication.Connection.<init>(Connection.java:52)
    at com.uc4.communication.Connection.open(Connection.java:160)
    at 
    com.uc4.ecc.backends.connection.ProductionConnectionFactory$2.call(ProductionConnectionFactory.java:77)
    Caused by: java.net.ConnectException: Connection refused: no further 
    Information at sun.nio.ch.SocketChannelImpl.checkConnect(Native Method)
    
  • Java-based Agents and TLS Gateway:

    U02000379 Initiating connection to server myserver:8443' using 
    WebSocket URI: 'wss://myserver:8443/agent'.
    U02000385 Web socket error: 'Connection refused: no further 
    information'.
    java.net.ConnectException: Connection refused: no further information
    U02000380 Could not connect to server myserver:8443'.
    
  • Windows Agent:

    U02000379 Initiating connection to server myserver:8443' using 
    WebSocket URI: 'wss://198.51.100.2:8443//agent'.
    U02000313 Communication error with partner 
    'https://myserver:8443//agent', error: 'No connection could be made 
    because the target machine actively refused it'.
    U02000343 Server connection has been closed.
    
  • UNIX Agent:

    U02000379 Initiating connection to server 'UC4' using WebSocket URI: myserver:8443/agent'.
    U02000313 Communication error with partner '*SERVER', error: 'on_connection/111(Connection refused)'.
    U02000010 Connection to Server 'UC4/unknown' terminated.
    

Solution: Check that the JCP is active and that the WebSocket connection works.

This can also be done via the browser. Open a new tab and enter the endpoint, for example: https://myserver:8443.

  • If the endpoint is reachable, you get a certificate error but you can view the certificate.

    Check if the hostname matches the one in the config.xml file

  • If the endpoint is not reachable, the browser displays an error similar to Site not reachable.

    Check the JCP log and make sure jetty has started the endpoint and on which port.

More information: