MID Server cannot connect to ServiceNow instance, error in agent log: org.apache.commons.httpclient.HttpException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated


Description

MID Server cannot connect to ServiceNow instance, error in agent log:

Request not sent to uri= https://<instance name>.service-now.com/<some endpoint> : org.apache.commons.httpclient.HttpException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

Cause

If the MID Server cannot connect to the ServiceNow instance and keeps showing the "peer not authenticated" error in the agent log, this indicates that the certificate of ServiceNow instance is not trusted by MID Server JRE.


To verify this, open a web browser from the MID Server Host, and log in to your ServiceNow instance and verify the certificate.

Below is the out of the box certificates:

If the certificate chain is not like what's showing in the image above and is signed by a thirdparty or not commonly-used Certificate Authority, then it's highly likely not trusted by the JRE cacerts yet.

Resolution

You can copy (download) the root certificate(the one at the top in the Certificate Chain) directly from IE or Chrome / Firefox on Windows by following instructions from KB0816002.

After you have copied (downloaded) the root certificate you need to import it into the MID Server's cacerts keystore.

You can follow instructions from the link below on how to do this.  Note the import will require a password and if this has not been changed then the default password is "changeit"

https://docs.servicenow.com/csh?topicname=add-ssl-certificates.html&version=latest

Additional Information

This and other certificate-related MID Server requirements are mentioned in KB0863673 MID Servers and Certificates

To further confirm the Certificate issue, you may add below line to wrapper-override.conf file under MID server installation folder / conf

wrapper.java.additional.3=-Djavax.net.debug=ssl

(change number 3 if it's already taken)

Once above is added, restart the MID server service, then you will have more debug loggings in the wrapper log, which includes the certificate of the instance URL, which is likely certified by your own company, instead of a well-known / common Certificate Authority like Entrust.