FMS using SSL/HTTPS, the fglcmd command fails with error "unable to find valid certification path" (4284088)

When attempting to invoke the fglcmd command from the Foglight Management Server (FMS) host or remotely, the -ssl flag was used but the command fails with the following:

Connection problem: Could not access HTTP invoker remote service at [https://localhost:8443/foglight-sl/CommandLineService]; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

If error is only Unable to connect to remote server, the fglcmd command may need to be run with the -debug flag to see the certificate error; for example:

fglcmd.sh -srv foglight.yourdomain.com -port 8443 -ssl -usr foglight -pwd -cmd agent:list -debug

CAUSE 1

The fglcmd utility uses the JRE to connect to the FMS. The quest.com CA authority is not installed by default in the cacerts file on the FMS.

CAUSE 2

An in-house certificate granting authority (CA) is in use and has not been imported to the default JRE TrustStore (cacerts).

1. Export the cert from the browser.  Please reference the attached example of how to export the Cert from a Chrome browser.
2. Copy resulting file to FMS host, and import into CACERTS:

   $FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/jre/lib/security/cacerts -storepass changeit -import -alias [alias_name] -file [path_to_ca_cert_file]

3. This should import the needed information for the JRE to allow the fglcmd command to work properly

Example fglcmd usage using the -srv and -ssl switches:

Ensure that fglcmd  -srv switch specifies the FQDN referenced in the cert, for example:

> fglcmd -srv hostname.domain.com -ssl -usr foglight -pwd foglight -port 8443 -cmd script:run -f filename.groovy