Splunk AppDynamics
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk AppDynamics HTTP Error 400 Invalid SNI

Osama_Abbas1
Explorer
‎03-11-2025 11:32 AM

I am deploying an On-Premises AppDynamics demo for a customer version (25.1.1.10031) and it is running on HTTP (8090). However, when I try to open it https://<ip_addr>:8181, I get the attached error message.

SNISNI

The screenshot has appd not the IP address just to hide it

How do I bypass this error?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Osama_Abbas1
Explorer
‎03-11-2025 03:03 PM

Hi @livehybrid,

Thanks a lot for your consideration.

I have been going through some jetty related posts (ring/ring-jetty-adapter/src/ring/adapter/jetty.clj at cefb95e698eeb8c58a082ddb2eec6fb9958506cb · rin...) in regard to this issue as it is the webserver running the controller. I found out that this is not a real issue with jetty, but rather, it is the default behavior. But luckily, it has a workaround.

After doing some research, below is the workaround:

Spoiler
This is not a permanent solution as the below changes will revert whenever jetty is upgraded, but it temporarily solves the problem. 

 

$ cd /opt/appdynamics/platform/product/controller/appserver/jetty/etc
$ cat jetty-ssl.xml
<?xml version="1.0"?><!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">

<!-- ============================================================= -->
<!-- Base SSL configuration                                        -->
<!-- This configuration needs to be used together with 1 or more   -->
<!-- of jetty-https.xml or jetty-http2.xml                         -->
<!-- ============================================================= -->
<Configure id="Server" class="org.eclipse.jetty.server.Server">

  <!-- =========================================================== -->
  <!-- Create a TLS specific HttpConfiguration based on the        -->
  <!-- common HttpConfiguration defined in jetty.xml               -->
  <!-- Add a SecureRequestCustomizer to extract certificate and    -->
  <!-- session information                                         -->
  <!-- =========================================================== -->
  <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
      <Arg>
        <New class="org.eclipse.jetty.server.SecureRequestCustomizer">
          <Arg name="sniRequired" type="boolean"><Property name="jetty.ssl.sniRequired" default="false"/></Arg>
          <Arg name="sniHostCheck" type="boolean"><Property name="jetty.ssl.sniHostCheck" default="true"/></Arg>
          <Arg name="stsMaxAgeSeconds" type="int"><Property name="jetty.ssl.stsMaxAgeSeconds" default="-1"/></Arg>
          <Arg name="stsIncludeSubdomains" type="boolean"><Property name="jetty.ssl.stsIncludeSubdomains" default="false"/></Arg>
        </New>
      </Arg>
    </Call>
  </New>

</Configure>

 

In the example above (jetty-ssl.xml file), the default value for jetty.ssl.sniHostCheck is "true". This value has to be changed to default="false" to bypass the sniHostCheck.

 

<New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
      <Arg>
        <New class="org.eclipse.jetty.server.SecureRequestCustomizer">
          <!-- output truncated -->
          <Arg name="sniHostCheck" type="boolean"><Property name="jetty.ssl.sniHostCheck" default="false"/></Arg>
          <!-- output truncated -->
        </New>
      </Arg>
    </Call>
  </New>

 

You may also need to change it in jetty-ssl.xml.j2 file

Then, you have to restart the Controller AppServer.

After the controller AppServer restart is completed, you will be able to access the AppDynamics Controller via https://<controller_ip_addr>:8181

HTTPs.jpg

View solution in original post

Tags (1)
0 Karma
Reply
Solved! Jump to solution

livehybrid
Super Champion
‎03-11-2025 02:24 PM

Hi @Osama_Abbas1 

Have you configured a APPDYNAMICS_CONTROLLER_HOST_NAME variable when running AppD? If so, is this the IP or hostname for your install? 

IP addresses cannot be used with SSL Certificate SNI, which explains the error, although I would have expected just a browser warning. This makes me wonder, are you connecting via a proxy from your client to your AppD server? This could be trying to generate an SSL cert for the connection and failing.

Worth reading:

https://docs.appdynamics.com/appd/23.x/latest/en/application-monitoring/install-app-server-agents/ja...

https://docs.appdynamics.com/appd/onprem/23.x/23.6/en/secure-the-platform/controller-ssl-and-certifi...

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Reply
Solved! Jump to solution
Solution

Osama_Abbas1
Explorer
‎03-11-2025 03:03 PM

Hi @livehybrid,

Thanks a lot for your consideration.

I have been going through some jetty related posts (ring/ring-jetty-adapter/src/ring/adapter/jetty.clj at cefb95e698eeb8c58a082ddb2eec6fb9958506cb · rin...) in regard to this issue as it is the webserver running the controller. I found out that this is not a real issue with jetty, but rather, it is the default behavior. But luckily, it has a workaround.

After doing some research, below is the workaround:

Spoiler
This is not a permanent solution as the below changes will revert whenever jetty is upgraded, but it temporarily solves the problem. 

 

$ cd /opt/appdynamics/platform/product/controller/appserver/jetty/etc
$ cat jetty-ssl.xml
<?xml version="1.0"?><!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">

<!-- ============================================================= -->
<!-- Base SSL configuration                                        -->
<!-- This configuration needs to be used together with 1 or more   -->
<!-- of jetty-https.xml or jetty-http2.xml                         -->
<!-- ============================================================= -->
<Configure id="Server" class="org.eclipse.jetty.server.Server">

  <!-- =========================================================== -->
  <!-- Create a TLS specific HttpConfiguration based on the        -->
  <!-- common HttpConfiguration defined in jetty.xml               -->
  <!-- Add a SecureRequestCustomizer to extract certificate and    -->
  <!-- session information                                         -->
  <!-- =========================================================== -->
  <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
      <Arg>
        <New class="org.eclipse.jetty.server.SecureRequestCustomizer">
          <Arg name="sniRequired" type="boolean"><Property name="jetty.ssl.sniRequired" default="false"/></Arg>
          <Arg name="sniHostCheck" type="boolean"><Property name="jetty.ssl.sniHostCheck" default="true"/></Arg>
          <Arg name="stsMaxAgeSeconds" type="int"><Property name="jetty.ssl.stsMaxAgeSeconds" default="-1"/></Arg>
          <Arg name="stsIncludeSubdomains" type="boolean"><Property name="jetty.ssl.stsIncludeSubdomains" default="false"/></Arg>
        </New>
      </Arg>
    </Call>
  </New>

</Configure>

 

In the example above (jetty-ssl.xml file), the default value for jetty.ssl.sniHostCheck is "true". This value has to be changed to default="false" to bypass the sniHostCheck.

 

<New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
      <Arg>
        <New class="org.eclipse.jetty.server.SecureRequestCustomizer">
          <!-- output truncated -->
          <Arg name="sniHostCheck" type="boolean"><Property name="jetty.ssl.sniHostCheck" default="false"/></Arg>
          <!-- output truncated -->
        </New>
      </Arg>
    </Call>
  </New>

 

You may also need to change it in jetty-ssl.xml.j2 file

Then, you have to restart the Controller AppServer.

After the controller AppServer restart is completed, you will be able to access the AppDynamics Controller via https://<controller_ip_addr>:8181

HTTPs.jpg

Tags (1)
0 Karma
Reply
Solved! Jump to solution

livehybrid
Super Champion
‎03-12-2025 12:55 AM

Hey @Osama_Abbas1 

Thanks for letting us know how you resolved it 🙂
Good luck with your future AppD work!

Will

0 Karma
Reply
Solved! Jump to solution

Osama_Abbas1
Explorer
‎03-12-2025 03:10 AM

Hey @livehybrid ,

Thanks! I appreciate it. Wishing you the best too! 😊

 

0 Karma
Reply
Get Updates on the Splunk Community!

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
li.common.scroll-to.top