Splunk AppDynamics
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk AppDynamics HTTP Error 400 Invalid SNI

Osama_Abbas1
Explorer
‎03-11-2025 11:32 AM

I am deploying an On-Premises AppDynamics demo for a customer version (25.1.1.10031) and it is running on HTTP (8090). However, when I try to open it https://<ip_addr>:8181, I get the attached error message.

SNISNI

The screenshot has appd not the IP address just to hide it

How do I bypass this error?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Osama_Abbas1
Explorer
‎03-11-2025 03:03 PM

Hi @livehybrid,

Thanks a lot for your consideration.

I have been going through some jetty related posts (ring/ring-jetty-adapter/src/ring/adapter/jetty.clj at cefb95e698eeb8c58a082ddb2eec6fb9958506cb · rin...) in regard to this issue as it is the webserver running the controller. I found out that this is not a real issue with jetty, but rather, it is the default behavior. But luckily, it has a workaround.

After doing some research, below is the workaround:

Spoiler
This is not a permanent solution as the below changes will revert whenever jetty is upgraded, but it temporarily solves the problem. 

 

$ cd /opt/appdynamics/platform/product/controller/appserver/jetty/etc
$ cat jetty-ssl.xml
<?xml version="1.0"?><!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">

<!-- ============================================================= -->
<!-- Base SSL configuration                                        -->
<!-- This configuration needs to be used together with 1 or more   -->
<!-- of jetty-https.xml or jetty-http2.xml                         -->
<!-- ============================================================= -->
<Configure id="Server" class="org.eclipse.jetty.server.Server">

  <!-- =========================================================== -->
  <!-- Create a TLS specific HttpConfiguration based on the        -->
  <!-- common HttpConfiguration defined in jetty.xml               -->
  <!-- Add a SecureRequestCustomizer to extract certificate and    -->
  <!-- session information                                         -->
  <!-- =========================================================== -->
  <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
      <Arg>
        <New class="org.eclipse.jetty.server.SecureRequestCustomizer">
          <Arg name="sniRequired" type="boolean"><Property name="jetty.ssl.sniRequired" default="false"/></Arg>
          <Arg name="sniHostCheck" type="boolean"><Property name="jetty.ssl.sniHostCheck" default="true"/></Arg>
          <Arg name="stsMaxAgeSeconds" type="int"><Property name="jetty.ssl.stsMaxAgeSeconds" default="-1"/></Arg>
          <Arg name="stsIncludeSubdomains" type="boolean"><Property name="jetty.ssl.stsIncludeSubdomains" default="false"/></Arg>
        </New>
      </Arg>
    </Call>
  </New>

</Configure>

 

In the example above (jetty-ssl.xml file), the default value for jetty.ssl.sniHostCheck is "true". This value has to be changed to default="false" to bypass the sniHostCheck.

 

<New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
      <Arg>
        <New class="org.eclipse.jetty.server.SecureRequestCustomizer">
          <!-- output truncated -->
          <Arg name="sniHostCheck" type="boolean"><Property name="jetty.ssl.sniHostCheck" default="false"/></Arg>
          <!-- output truncated -->
        </New>
      </Arg>
    </Call>
  </New>

 

You may also need to change it in jetty-ssl.xml.j2 file

Then, you have to restart the Controller AppServer.

After the controller AppServer restart is completed, you will be able to access the AppDynamics Controller via https://<controller_ip_addr>:8181

HTTPs.jpg

View solution in original post

Tags (1)
0 Karma
Reply
Solved! Jump to solution

Maciej_Popek
Engager
Wednesday

Recently I have created a community article regarding the SNI checks for each of the components in AppDynamics product - Controller, ES and EUM server. Please feel free to check it out, I have described exactly how SNI checks work, how to fix this issue permanently, and how to disable the SNI checks for each of the component of AppD:

https://community.splunk.com/t5/AppDynamics-Knowledge-Base/AppDynamics-Platform-Best-Practices-and-G... 

0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎03-11-2025 02:24 PM

Hi @Osama_Abbas1 

Have you configured a APPDYNAMICS_CONTROLLER_HOST_NAME variable when running AppD? If so, is this the IP or hostname for your install? 

IP addresses cannot be used with SSL Certificate SNI, which explains the error, although I would have expected just a browser warning. This makes me wonder, are you connecting via a proxy from your client to your AppD server? This could be trying to generate an SSL cert for the connection and failing.

Worth reading:

https://docs.appdynamics.com/appd/23.x/latest/en/application-monitoring/install-app-server-agents/ja...

https://docs.appdynamics.com/appd/onprem/23.x/23.6/en/secure-the-platform/controller-ssl-and-certifi...

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Reply
Solved! Jump to solution
Solution

Osama_Abbas1
Explorer
‎03-11-2025 03:03 PM

Hi @livehybrid,

Thanks a lot for your consideration.

I have been going through some jetty related posts (ring/ring-jetty-adapter/src/ring/adapter/jetty.clj at cefb95e698eeb8c58a082ddb2eec6fb9958506cb · rin...) in regard to this issue as it is the webserver running the controller. I found out that this is not a real issue with jetty, but rather, it is the default behavior. But luckily, it has a workaround.

After doing some research, below is the workaround:

Spoiler
This is not a permanent solution as the below changes will revert whenever jetty is upgraded, but it temporarily solves the problem. 

 

$ cd /opt/appdynamics/platform/product/controller/appserver/jetty/etc
$ cat jetty-ssl.xml
<?xml version="1.0"?><!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">

<!-- ============================================================= -->
<!-- Base SSL configuration                                        -->
<!-- This configuration needs to be used together with 1 or more   -->
<!-- of jetty-https.xml or jetty-http2.xml                         -->
<!-- ============================================================= -->
<Configure id="Server" class="org.eclipse.jetty.server.Server">

  <!-- =========================================================== -->
  <!-- Create a TLS specific HttpConfiguration based on the        -->
  <!-- common HttpConfiguration defined in jetty.xml               -->
  <!-- Add a SecureRequestCustomizer to extract certificate and    -->
  <!-- session information                                         -->
  <!-- =========================================================== -->
  <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
      <Arg>
        <New class="org.eclipse.jetty.server.SecureRequestCustomizer">
          <Arg name="sniRequired" type="boolean"><Property name="jetty.ssl.sniRequired" default="false"/></Arg>
          <Arg name="sniHostCheck" type="boolean"><Property name="jetty.ssl.sniHostCheck" default="true"/></Arg>
          <Arg name="stsMaxAgeSeconds" type="int"><Property name="jetty.ssl.stsMaxAgeSeconds" default="-1"/></Arg>
          <Arg name="stsIncludeSubdomains" type="boolean"><Property name="jetty.ssl.stsIncludeSubdomains" default="false"/></Arg>
        </New>
      </Arg>
    </Call>
  </New>

</Configure>

 

In the example above (jetty-ssl.xml file), the default value for jetty.ssl.sniHostCheck is "true". This value has to be changed to default="false" to bypass the sniHostCheck.

 

<New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
      <Arg>
        <New class="org.eclipse.jetty.server.SecureRequestCustomizer">
          <!-- output truncated -->
          <Arg name="sniHostCheck" type="boolean"><Property name="jetty.ssl.sniHostCheck" default="false"/></Arg>
          <!-- output truncated -->
        </New>
      </Arg>
    </Call>
  </New>

 

You may also need to change it in jetty-ssl.xml.j2 file

Then, you have to restart the Controller AppServer.

After the controller AppServer restart is completed, you will be able to access the AppDynamics Controller via https://<controller_ip_addr>:8181

HTTPs.jpg

Tags (1)
0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎03-12-2025 12:55 AM

Hey @Osama_Abbas1 

Thanks for letting us know how you resolved it 🙂
Good luck with your future AppD work!

Will

0 Karma
Reply
Solved! Jump to solution

Osama_Abbas1
Explorer
‎03-12-2025 03:10 AM

Hey @livehybrid ,

Thanks! I appreciate it. Wishing you the best too! 😊

 

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...