Splunk AppDynamics

Splunk AppDynamics HTTP Error 400 Invalid SNI

Osama_Abbas1
Explorer

I am deploying an On-Premises AppDynamics demo for a customer version (25.1.1.10031) and it is running on HTTP (8090). However, when I try to open it https://<ip_addr>:8181, I get the attached error message.

SNISNI

The screenshot has appd not the IP address just to hide it

How do I bypass this error?

Labels (1)
0 Karma
1 Solution

Osama_Abbas1
Explorer

Hi @livehybrid,

Thanks a lot for your consideration.

I have been going through some jetty related posts (ring/ring-jetty-adapter/src/ring/adapter/jetty.clj at cefb95e698eeb8c58a082ddb2eec6fb9958506cb · rin...) in regard to this issue as it is the webserver running the controller. I found out that this is not a real issue with jetty, but rather, it is the default behavior. But luckily, it has a workaround.

After doing some research, below is the workaround:

Spoiler
This is not a permanent solution as the below changes will revert whenever jetty is upgraded, but it temporarily solves the problem. 

 

$ cd /opt/appdynamics/platform/product/controller/appserver/jetty/etc
$ cat jetty-ssl.xml
<?xml version="1.0"?><!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">

<!-- ============================================================= -->
<!-- Base SSL configuration                                        -->
<!-- This configuration needs to be used together with 1 or more   -->
<!-- of jetty-https.xml or jetty-http2.xml                         -->
<!-- ============================================================= -->
<Configure id="Server" class="org.eclipse.jetty.server.Server">

  <!-- =========================================================== -->
  <!-- Create a TLS specific HttpConfiguration based on the        -->
  <!-- common HttpConfiguration defined in jetty.xml               -->
  <!-- Add a SecureRequestCustomizer to extract certificate and    -->
  <!-- session information                                         -->
  <!-- =========================================================== -->
  <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
      <Arg>
        <New class="org.eclipse.jetty.server.SecureRequestCustomizer">
          <Arg name="sniRequired" type="boolean"><Property name="jetty.ssl.sniRequired" default="false"/></Arg>
          <Arg name="sniHostCheck" type="boolean"><Property name="jetty.ssl.sniHostCheck" default="true"/></Arg>
          <Arg name="stsMaxAgeSeconds" type="int"><Property name="jetty.ssl.stsMaxAgeSeconds" default="-1"/></Arg>
          <Arg name="stsIncludeSubdomains" type="boolean"><Property name="jetty.ssl.stsIncludeSubdomains" default="false"/></Arg>
        </New>
      </Arg>
    </Call>
  </New>

</Configure>

 

In the example above (jetty-ssl.xml file), the default value for jetty.ssl.sniHostCheck is "true". This value has to be changed to default="false" to bypass the sniHostCheck.

 

<New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
      <Arg>
        <New class="org.eclipse.jetty.server.SecureRequestCustomizer">
          <!-- output truncated -->
          <Arg name="sniHostCheck" type="boolean"><Property name="jetty.ssl.sniHostCheck" default="false"/></Arg>
          <!-- output truncated -->
        </New>
      </Arg>
    </Call>
  </New>

 

You may also need to change it in jetty-ssl.xml.j2 file

Then, you have to restart the Controller AppServer.

After the controller AppServer restart is completed, you will be able to access the AppDynamics Controller via https://<controller_ip_addr>:8181

HTTPs.jpg

View solution in original post

Tags (1)
0 Karma

livehybrid
SplunkTrust
SplunkTrust

Hi @Osama_Abbas1 

Have you configured a APPDYNAMICS_CONTROLLER_HOST_NAME variable when running AppD? If so, is this the IP or hostname for your install? 

IP addresses cannot be used with SSL Certificate SNI, which explains the error, although I would have expected just a browser warning. This makes me wonder, are you connecting via a proxy from your client to your AppD server? This could be trying to generate an SSL cert for the connection and failing.

Worth reading:

https://docs.appdynamics.com/appd/23.x/latest/en/application-monitoring/install-app-server-agents/ja...

https://docs.appdynamics.com/appd/onprem/23.x/23.6/en/secure-the-platform/controller-ssl-and-certifi...

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Osama_Abbas1
Explorer

Hi @livehybrid,

Thanks a lot for your consideration.

I have been going through some jetty related posts (ring/ring-jetty-adapter/src/ring/adapter/jetty.clj at cefb95e698eeb8c58a082ddb2eec6fb9958506cb · rin...) in regard to this issue as it is the webserver running the controller. I found out that this is not a real issue with jetty, but rather, it is the default behavior. But luckily, it has a workaround.

After doing some research, below is the workaround:

Spoiler
This is not a permanent solution as the below changes will revert whenever jetty is upgraded, but it temporarily solves the problem. 

 

$ cd /opt/appdynamics/platform/product/controller/appserver/jetty/etc
$ cat jetty-ssl.xml
<?xml version="1.0"?><!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">

<!-- ============================================================= -->
<!-- Base SSL configuration                                        -->
<!-- This configuration needs to be used together with 1 or more   -->
<!-- of jetty-https.xml or jetty-http2.xml                         -->
<!-- ============================================================= -->
<Configure id="Server" class="org.eclipse.jetty.server.Server">

  <!-- =========================================================== -->
  <!-- Create a TLS specific HttpConfiguration based on the        -->
  <!-- common HttpConfiguration defined in jetty.xml               -->
  <!-- Add a SecureRequestCustomizer to extract certificate and    -->
  <!-- session information                                         -->
  <!-- =========================================================== -->
  <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
      <Arg>
        <New class="org.eclipse.jetty.server.SecureRequestCustomizer">
          <Arg name="sniRequired" type="boolean"><Property name="jetty.ssl.sniRequired" default="false"/></Arg>
          <Arg name="sniHostCheck" type="boolean"><Property name="jetty.ssl.sniHostCheck" default="true"/></Arg>
          <Arg name="stsMaxAgeSeconds" type="int"><Property name="jetty.ssl.stsMaxAgeSeconds" default="-1"/></Arg>
          <Arg name="stsIncludeSubdomains" type="boolean"><Property name="jetty.ssl.stsIncludeSubdomains" default="false"/></Arg>
        </New>
      </Arg>
    </Call>
  </New>

</Configure>

 

In the example above (jetty-ssl.xml file), the default value for jetty.ssl.sniHostCheck is "true". This value has to be changed to default="false" to bypass the sniHostCheck.

 

<New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
      <Arg>
        <New class="org.eclipse.jetty.server.SecureRequestCustomizer">
          <!-- output truncated -->
          <Arg name="sniHostCheck" type="boolean"><Property name="jetty.ssl.sniHostCheck" default="false"/></Arg>
          <!-- output truncated -->
        </New>
      </Arg>
    </Call>
  </New>

 

You may also need to change it in jetty-ssl.xml.j2 file

Then, you have to restart the Controller AppServer.

After the controller AppServer restart is completed, you will be able to access the AppDynamics Controller via https://<controller_ip_addr>:8181

HTTPs.jpg

Tags (1)
0 Karma

livehybrid
SplunkTrust
SplunkTrust

Hey @Osama_Abbas1 

Thanks for letting us know how you resolved it 🙂
Good luck with your future AppD work!

Will

0 Karma

Osama_Abbas1
Explorer

Hey @livehybrid ,

Thanks! I appreciate it. Wishing you the best too! 😊

 

0 Karma
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...