Log Export Service: Kafka SSL Certificate Errors Due to SSL Interception on Customer NetworkIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } When a customer attempts to connect their MID Server to the ServiceNow Kafka (Hermes) cluster, the connection may fail with an SSL/TLS certificate validation error. This article explains the root cause, how to confirm it, and the steps required to resolve it. Symptoms<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The Kafka client job fails with an error similar to the following in the SSL handshake logs: javax.net.ssl|ERROR|...|Fatal (CERTIFICATE_UNKNOWN): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Additional error details may include: sun.security.validator.ValidatorException: PKIX path building failedReferences to a missing intermediate CA or root CA certificateFailure only on the MID Server host (not reproducible from other machines on different network paths) Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } all Cause<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } This error is caused by SSL interception (also known as deep packet inspection or TLS inspection) on the customer’s corporate network. A proxy or firewall device terminates the original TLS connection to the ServiceNow Kafka broker and re-signs the certificate using an internal Certificate Authority (CA). Because the internal CA certificate is not present in the Java truststore used by the MID Server, the Java runtime cannot build a valid certificate chain to the broker, resulting in the PKIX path building failure. Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } How to Confirm SSL Interception Before proceeding with the fix, confirm that SSL interception is the cause: Review the SSL handshake logs on the MID Server. Look for a certificate issuer that does not match an expected public CA (e.g., the issuer matches an internal corporate CA name).List the contents of the truststore to check which CA certificates are currently trusted: keytool -list -keystore truststore.p12 -storetype PKCS12 -storepass [password] Confirm that the issuing (intermediate) and root CA certificates from your internal PKI are absent from the truststore output.Involve your Network Security or PKI Certificate team to confirm whether SSL inspection is active on the path between the MID Server and the ServiceNow Kafka endpoints. There are two resolution paths. Work with your Network Security and PKI teams to determine which is appropriate for your environment. Option A — Bypass SSL Inspection for ServiceNow Kafka Endpoints (Recommended) Configure your proxy or firewall to exclude the ServiceNow Kafka (Hermes) endpoints from SSL inspection. This is the cleaner solution as it avoids ongoing certificate management on MID Servers. Contact your Network Security team and provide them with the ServiceNow Kafka endpoint hostnames/IPs. Ask them to add those endpoints to the SSL inspection bypass list. Option B — Import Internal CA Certificates into the Java Truststore If bypassing SSL inspection is not feasible, import your organization’s root and intermediate CA certificates into the truststore on each MID Server. Step 1 — Obtain the CA certificates Request the root CA certificate (root.crt) and the intermediate/issuing CA certificate (intermediate.crt) from your PKI Certificate team. Step 2 — List the current truststore contents (optional but recommended) keytool -list -keystore truststore.p12 -storetype PKCS12 -storepass [password] Step 3 — Import the intermediate CA certificate keytool -importcert -file intermediate.crt -storepass [password] \ -destkeystore truststore.p12 -deststoretype PKCS12 \ -alias "issuing-ca-certificate" Step 4 — Import the root CA certificate keytool -importcert -file root.crt -storepass [password] \ -destkeystore truststore.p12 -deststoretype PKCS12 \ -alias "root-ca-certificate" Step 5 — Verify the import keytool -list -keystore truststore.p12 -storetype PKCS12 -storepass [password] Confirm that two new entries appear for your issuing and root CA certificates. Step 6 — Retest the Kafka connection Rerun the Kafka client job. If successful, repeat Steps 3–5 on any additional MID Servers in the environment. Note: Do not use -srcstoretype PKCS12 in the import commands above unless you are converting between keystore types. Use -deststoretype PKCS12 to specify the output format.