community
cancel
Showing results for 
Search instead for 
Did you mean: 

alteryx connect Knowledge Base

Definitive answers from Connect experts.

Cannot Establish a Connection between Connect and Gallery

Alteryx
Alteryx
Created on

Issue

 

While attempting to add your Gallery (Alteryx Server) to your Connect instance, you get the following error message:

 

An error occurred while automatically trying to obtain gallery keys
I/O error on POST request for "https://localhost/gallery/api/auth/preauth/":
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target;
nested exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target..

 

Environment

 

  • Alteryx Server (Gallery) 
    • SSL Encryption Enabled
  • Alteryx Connect ≥ 2018.2

Cause

 

The error message means that Apache Tomcat (Connect runs Tomcat as it's underlying web server) does not trust the certificate that your Gallery is using for SSL encryption. This error is most frequently caused by using a certificate that is self-signed and not issued by a certificate authority (CA) for your Gallery. This error can also occur with a CA-issued certificate when the CA was only recently added to Java. Connect does not always contain the latest version of Java, therefore a recently added CA may not exist as a trusted issuer in your Connect instance.

 

Solution

 

To resolve this error, you need to import your *.crt certificate into the Java Keystore in Connect.

 

  1. Open the Command Line Interpreter on your machine as an administrator.
    1. Navigating to your Start Menu, and search "cmd".
    2. Right-click on the Command Prompt application and select Run as administrator.

      cmdAsAdmin.png

 

  1. In your command prompt, navigate to the directory containing the Java Keytool (the location will depend on where your instance of Connect is installed, the following example uses the default location):

    cd "c:\Program Files\AlteryxConnect\jre\bin\"
  2. Locate the *.crt certificate you are using to run SSL in your Gallery.
    1. In this example, I've used OpenSSL to generate an SSL certificate, and therefore my certificate is in the directory C:\OpenSSL-Win64\bin. Update this path in the following commands according to your certificate's file path.

  3. Import the certificate into cacerts keystore in the Connect folder with the following commands. In this example, I am using gallery as the certificate's alias (the certificate must have a unique identification), but you can replace this with whatever string you would like to use:

    keytool.exe -import -alias gallery -file "c:\OpenSSL-Win64\bin\ServerName.crt" -keystore "c:\Program Files\AlteryxConnect\jre\lib\security\cacerts"
  4. You may be prompted for the keystore password. By default the password is set to changeit:

    cacerts keystore password: changeit
  5. Once you have provided the keystore password, restart your Connect service.
  6. Now you should get "OK" as the response when connecting to Gallery.