Couldn't establish connection to :636 PKIX path building failed

Hi everyone, I’m posting again because last time I was saved so why not a second time! I’ve set up a graylog node, inputs etc with HTTPS with custom certificate but the worry is that I’d also like to put LDAPs for security but when I try a connection by checking verify certificates I get this big error:

Couldn’t establish connection to x.x.x.x:636
An error occurred while attempting to connect to server x.x.x.x:636 IOException(LDAPException(resultCode=91 (connect error), errorMessage=‘An error occurred while attempting to establish a connection to server /x.x.x. x:636: SSLHandshakeException(PKIX path building failed: unable to find valid certification path to requested target), ldapSDKVersion=6.0.10, revision=51b3c7fe15cf42d4b2cd3bbd8165ebf759a8277d’))

While my certificate is working everywhere have I forgotten something?
Thank you in advance!

Hey @EthanBVV

Seems that you LDAP may not like or able to find you certificates. By chance have you upload the correct certificate to your LDAP server?

I assume your self-singed certificates work on graylog using HTTPS and your inputs also?

Hi @gsmith ! So to explain you I imported a wildcards certificate on graylog and yes they work with https + inputs without worries that’s why I do not understand why it can not contact the cert for the ldaps .

Thanks in advance for the answer.


Hey @EthanBVV


I assume all the correct ports are opened? Some times its the name used for the connection can be the cause.

While back I had a similar issue using MS AD/DC with wild cards. I’m not sure if this will help your issue but it did for me.

Heyyy ! Thank you for your answers they are a very valuable help for me ports are well open because if I do LDAPs without checking the certificate it communicates well with my AD and currently I connect on Graylog with AD logs in 636. I will look at what you pass me hoping that it works! for info you have in your LDAP authentication you put the ip or the FQDN?

We use FQDN here. Our environment maybe different then yours.

Did you try to import the CA certificate in the Java trust store ?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.