PKIX Validation Error "signature check failed" When Connecting to an LDAPS Server from a ServiceNow Instance


Some customers have reported this error when connecting their ServiceNow instances to an LDAPS server:

ldaps:// PKIX path validation failed: signature check failed

Release or Environment

All supported ServiceNow releases


This error message appears where the customer's LDAPS server uses certificates issued from an internal/self-signed/non-public Certificate Authority (CA), and those certificates have not been uploaded to the instance's X.509 Certificates table.



Recommended Solution
The following need to be uploaded to X.509 Certificate[sys_certificate] on the instance if using a internal/self-signed/non-public CA:

Note: The LDAPS server admin should be able to provide you with all this information. If not, the required certificates should be visible in the output of openssl s_client -showcerts -connect

Alternative Workaround

If for some reason the steps in the Recommended Solution don't work you can get past this error by disabling certificate verification by setting System Property com.glide.communications.trustmanager_trust_all to true. 

WARNING: This can have significant security implications and is a global setting for the whole instance (not just LDAP). It should only be used temporarily for testing (on sub-prod instances) and should not be used in production.