Error when trying to sync controller

When trying to sync the controller I receive this message:

Downloading account configuration failed : PKIX path building failed: Unable to find certificate chain.

Anyone have any suggestions?

As a work around while the team deal with the other important things.

Just export your design from the online designer, then instead of doing an online sync with your controller (using your normal login details), click on the "off-line" option and use the Zip file.

The advantage of this method is that you'll have a nice archive of your design.

I normally keep my previous versions in zip format, just in case I don't like the changes I've made, or just to satisfy my backup paranoia.

Thank you!

As explained in another post, we’re currently using a self-signed certificate.
In order for the sync to work, you need to have Java trust the certificate on the controller.

One way to do that is to retrieve the certificate (from the designer website), then import into your cacerts file of your local JRE/JDK using a command such as

keytool -keystore cacerts -import -trustcacerts -alias designer_selfsigned -file openremote.crt

openremote.crt would be the certificate file. You might need to do some format conversion on the certificate to have it working (use openssl, google for commands).

And to retrieve the the certificate to the openremote.crt file you can use this command (works on eBox):

openssl s_client -showcerts -connect </dev/null 2>/dev/null|openssl x509 -outform PEM > openremote.crt


As “easy” and “advantageous” the workaround is, it’s burdensome to multiply the number of users of Designer by an estimated 10 mins a day. Hundreds of man hours?? tens of man hours… to offset 9,81 euro and one hour’s work to deploy a “real” cert? I personally pissed away 90 mins of my life trying to get the self-signed cert added to my JRE.

The problem I have, you see, is that Certs are a minimum of a year… meaning there’s a year’s warning it’s going to expire. A year to find the time to fit it in to all the important things. If you buy a cert “today” then “renew” it tomorrow, you pay for 2 years and get 2 years. The 2nd cert you receive “tomorrow” will not expire til a year after the first, giving you an entire year to deploy the new cert. And of course, that’s the absurd timing viewpoint of the process. (If you had the money to buy 2 years a day apart, why not just get the tiny discount multiple years yield? )

Am I correct in assuming that self signed cert is a temp fix and that renewal/replacement of the older cert is the permanent solution

Even if a cert expires I can't see how it could take longer than a week to get a new cert from verisign, semantic and get it installed
Is there a timeline for getting this resolved ?


Hi :slight_smile:

Do you know where to save the file. I have installed the controller on a Synology NAS?

Br Jesper

The process is all browser based. In Designer, save the zip. Put it wherever your browser puts things. Then in the Controller, where you’d normally do the “Sync with Online Designer” click the OFFLINE dot and then click the Browse button to find the zip you just downloaded. Then click Upload.

HI i am getting the following error and it seems like it is related to this certificate issue. Can someone confirm it is related to the certificate expiration issue ? Also what is the expected time frame for the fix?

Downloading account configuration failed : PKIX path validation failed: org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not validate certificate: certificate not valid till 20161003000000GMT+00:00

certificate not valid till 20161003000000GMT+00:00

There must be something wrong with the date/time of your machine. October 3rd is certainly in the past, here in the real world. Is your machine off by a Year? 2015 instead of 2016? (for example.)