SSLHandshakeException PKIX path building failed unable to find valid certification path to requested target

Problem:

I am trying to install the Sumo Logic Collector on a Windows host and the Collector is not registering and I am seeing the below errors in the collector.log

com.sumologic.scala.collector.auth.CollectorRegistrationManager - https://collectors.us2.sumologic.com resolves to addresses 50.112.247.184, 54.214.248.116, 54.244.93.203, 54.244.255.49, 54.245.225.80, 54.245.232.182

2018-03-09 12:14:07,687 +0300 [WrapperSimpleAppMain] WARN com.sumologic.scala.collector.auth.CollectorRegistrationManager - Unexpected when pinging sumo service, retrying in 60 seconds
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)

Root Cause:

This is typically due to a network issue caused by either no connectivity or SSL certificate issue. In many cases, these are related to a proxy or firewall configured between the Collector and the Sumo Logic service.

Resolution:

1. The following test can help determine the source of these messages.

From the server hosting the collector, run a cURL command (the executable can be downloaded for Windows  from this link   

​curl --insecure -v https://collectors.us2.sumologic.com

If the above command does not return the following message "* SSL certificate verify ok." then review the output and take the necessary action at the firewall or proxy level.

Please check if you are using tools like Zscaler and make sure you whitelist Sumo Logic domains using the format "*.sumologic.com". 

2. If the above step shows SSL certificate verified OK, then the following steps could help. This could happen if there is an issue with the cacerts file, located within the Java JRE directory. Typically this file will be located in:

Linux  default location: /opt/SumoCollector/jre/lib/security 

Windows default location C:\Program Files\Sumo Logic Collector\jre\lib\security\cacerts 

Note: The JRE directory can be found using the line below in the <collector_dir>/config/wrapper.conf file

wrapper.java.command = <some jre path>

Below are the tools to download and install the Sumo Logic certificate

1. Open IE on the proxy machine and enter the below endpoint link of the deployment which belongs to your org id, below one is for US2 deployment.
https://endpoint1.collection.us2.sumologic.com
Then click on the Green lock in the address bar and then Details and export the certificate and give a name to the certificate file, say sumologic-2.cer

2. Then on CMD window on the affected server (steps for Linux are similar but slightly different using forward slashes for the path instead of backslashes as used in windows). Make sure you are running as an administrator user, find the JRE on this machine (which is mentioned in user.properties) and find the below path
.....\jre\lib\security
# you should see the cacerts file in this directory
The keytool command is at below path
../jre/bin

Navigate to ../jre/bin and run the below command

..\..\bin/keytool.exe -keystore cacerts -importcert -alias sumocert1 -file <path_to_file\sumologic-2.cer..>
Enter keystore password:
3. Type the password for the keystore at the “Password” prompt and press Enter. The default Java password for the cacerts file is “changeit”.
4. Type ‘y’ at the “Trust this certificate?” prompt and press Enter.

5.      ..\..\bin\keytool -list -keystore cacerts -alias sumocert1

6. Once the above steps are done you need to stop and start the collector