Situation
User receives "Unable to find valid certification path" error when logging in to DemandTools:
Explanation
This error is thrown when DemandTools has an issue accessing the local Java Certificate needed to communicate with your Salesforce account. When initialized, DemandTools looks for a Java certificate. You may encounter this error if:
- The certificate does not exist
- The certificate has been moved
- Your company network uses a server that intercepts traffic between DemandTools and the internet (like a firewall, proxy server, or VPN)
Intercepting traffic is the most common scenario.
- When DemandTools attempts to make a connection, it goes through a decryption and re-encryption process called SSL inspection.
- During this process, the connection is re-encrypted with a Root CA certificate.
- If the certificate hasn't been added to the DemandTools truststore, DemandTools can't complete the re-encryption process.
- Once that Root CA certificate is added, DemandTools can validate the certificate and complete the process.
Solutions
There are three different paths you can take to resolve this issue, listed here in order of potential disruption to workflow. These solutions should be handled by your IT team. Validity cannot make these changes on our customers' behalf.
- Your company can allowlist
*.validity.com
on any interception server or setting that may decrypt and re-encrypt data in transit. - Your company can allowlist the following subdomains on all network interceptors:
api.validity.com
login.validity.com
notifier-configs.airbrake.io
- You may be able to update the SSL certificate on your interception server to use a publicly accepted Root CA.
- If your interception server cannot have the SSL certificate updated, your company's IT team will have to obtain the certificate file for that server and add it to the Java truststore that DemandTools uses (see How to import a certificate below).
Work with your company's IT team to verify the proper path of the Java certificate or make adjustments to your company's network configuration and firewalls.
How to find the certificate being used
If you’re not sure what certificate is being used, Validity Support will need you to trigger the error and download the logfile from your session, then provide that log with your support ticket. To do this:
- Upgrade to the latest version of DemandTools if needed.
- At a command prompt, open
C:\Users\[USERNAME]\DemandToolsConfig\javaSettings.json
. It will look like this:
- After
=true”
, add a comma and press enter to start a new line. - On the new line, add
”-Djavax.net.debug=all”
- Save the javaSettings.json file.
- Close DemandTools, then reopen it and wait for the error to occur.
- In the top menu, go to Help > Troubleshooting > App Logs and download the most recent logfile.
- Open the javaSettings.json file and remove the comma and new line you just added.
- Save the javaSettings.json file again.
- Submit a ticket to Validity Support and attach the logfile you just downloaded.
How to import a certificate
- If you use a Mac, use the Import Certificate function in the DemandTools top menu.
- If you use Windows, open a command prompt and run the following command as an administrator:
"C:\Program Files\Validity DemandTools\resources\jre\bin\keytool.exe" -import -alias DemandToolsTrustedCert -file "C:\[dir]\[RootCertificate-2048-SHA256.crt]" -keystore "C:\Program Files\Validity DemandTools\resources\jre\lib\security\cacerts" -trustcacerts -storepass changeit
- For [dir] and [RootCertificate...crt], enter the file path of your Root CA certificate.