When attempting to authenticate to the Endpoint Protection Manager (SEPM) REST API, you receive an error, " PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target."  If using Advanced Threat Protection (ATP), you may receive a "non 200 HTTP response" error when establishing the SEPM Controller connection. 

semapisrv.log

2018-02-09 11:09:28,198 [http-apr-8446-exec-6] ERROR c.s.s.s.c.e.h.GlobalControllerExceptionHandler - EXCEPTION: error.login
com.symantec.sepm.core.exception.AuthorizationException: error.login
    at com.symantec.sepm.server.servletintegration.ServletIntegrationMgr.doLogin(ServletIntegrationMgr.java:301)
    at com.symantec.sepm.server.servletintegration.ServletIntegrationMgr.doLogin(ServletIntegrationMgr.java:214)
.....
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
.....
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397).....
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141).....



This can occur if the SEPM's certificate was improperly replaced in the Apache folder without utilizing the SEPM wizard.  (server.crt in /apache/conf/ssl) The SEPM server utilizes both a Java Keystore (JKS) for Tomcat and PEM encoded certificate within Apache.  When replacing the SEPM certificate, both of these need to be updated. 

Use the Manage Server Certificate option within the SEPM to update the certificate.  See, Updating or restoring a server certificate. 

Note:  When you replace the certificate on the SEPM, clients may lose connectivity to the SEPM.  See, Best practices for updating server certificates and maintaining the client-server connection, for more information.