Problem A: SSL/connection errors in logs
Your New Relic Java agent's log data shows SSL or connection errors.
Tip
See Configuring your SSL certificates for instructions on how to communicate with the New Relic collector over HTTPS.
Solution A
Failures to connect via SSL typically appear early in the Java agent's log files. For example:
PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPathINFO: connection error: java.net.SocketException: java.lang.ClassNotFoundException: Cannot find the specified class com.ibm.websphere.ssl.protocol.SSLSocketFactoryIf you see either of these errors, your JDK instance probably is using a customized trust store.
Recommendation: Add the DigiCert Global Root Certificate Authority (CA), from which New Relic's certificate is derived, to your trust store.
You can download the DigiCert Global Root CA from DigiCert under the "Other root certificates" section (choose the "Download PEM" option).
To import the cert to your trust store, use this command, or see Oracle's Java SE documentation for keytool:
keytool -importcert -alias ca_alias -file ca_file.pem -keystore truststore.ts -storepass ts_passwordParameters include:
Parameter | Description |
|---|---|
| The alias you want to use in your trust store for the imported cert. |
| The file containing the cert you are adding. |
| The trust store to which the cert will be added. |
| The password used by |
Problem B: logs show exception
Your New Relic Java agent's log data shows the following CertificateException.
java.security.cert.CertificateException: Could not parse certificate: java.io.IOException: Illegal header: -----BEGIN CERTIFICATE-----This is most likely related to this JDK issue.
Solution B
Examine and validate that the header and footer of your certificates do not have trailing whitespaces. If they do, edit or use different certificates.