I create an API where I configure the endpoint: https://ssl.croinform.ru:450/api.test And there is a problem with https, I am not getting a response to the request. It seems the WSO2 API Manager API gateway is not proxying requests to the endpoint. When I make requests directly, I pre-configure the infrastructure: install the openssl counterpart, install the cacer.p7b and ssl.croinform.cer certificates. After that, I successfully receive responses from the ssl.croinform.ru:450/api.test service.
I was advised to add a certificate according to this manual: https://apim.docs.wso2.com/en/3.2.0/learn/design-api/endpoints/certificates/#adding-a-certificate-for-an-endpoint I did everything according to the manual, but requests to https are still not transmitted. The problem is I need to import two certificates: cacer.p7b, ssl.croinform.cer. I manage to add the .cer certificate, but the .p7b certificate is not added (I get an error), I suppose the .p7b file extension is simply not supported. But I need to transfer the whole certificate chain. Also, I do not understand how encryption is supported in wso2-am, but this is important, since traffic with a remote API is encrypted using tls. Am I getting it right that wso2-am works with openssl? If so, is it possible to use any other alternative software? In my case, openssl does not support some regional standards. I am still asking for hints or directions on my problem.
When I install a certificate with a .p7b extension in the portal I get the following error: The server encountered an internal error. Please contact administrator. The wso2carbon.log file contains the following events: ERROR {org.wso2.carbon.apimgt.impl.utils.CertificateMgtUtils} - Error loading certificate. java.security.cert.CertificateException: Unable to initialize, java.io.IOException: Short read of DER length at java.base / sun.security.x509.X509CertImpl. (X509CertImpl.java:197) at java.base / sun.security.provider.X509Factory.engineGenerateCertificate (X509Factory.java:10
Continuing: ERROR {org.wso2.carbon.apimgt.impl.certificatemgt.CertificateManagerImpl} - Error adding the certificate to Publisher Trust Store. Rolling back... ERROR {org.wso2.carbon.apimgt.impl.APIProviderImpl} - Adding certificate to the Publisher node is failed. No certificate changes will be affected. ERROR {org.wso2.carbon.apimgt.rest.api.publisher.v1.impl.EndpointCertificatesApiServiceImpl} - Error while adding the certificate due to an internal server error
Can you tell me what I need to do to make this work in WSO2 API Manager?
Related
I Need to attach a CA certificate with the postman request. I am attaching a CA certificate as shown in this in postman CA certifcate image. Here domain.pfx is not a self-signed certificate. It is signed by CA. When I attach this certifcate and hit the dotnet core web api controller, It is giving the socket hangup error. Its not even hitting dotnet core web api. Giving this error in postman.error_imageerror details.
But When I attach the self-signed certificate instead of a certificate signed by CA, everything works as expected. I can hit the controller and retrieve thumbprint from it. I am attaching the self-signed certificate in the same way.self-signed-certificate
I am getting the socket hangup error only when a CA certificate is attached, with Self-Signed certificate its working. How can I resolve this issue? Am I doing something wrong in adding CA certificate? Is there any other ways to attach a CA certificate in postman?
Your configuration of the certificate does not appear to be a problem. Since I don't know what your request looks like, I can only share with you a few cases where I encountered this error.
When you use same port for connecting database, which port is already in use for other service, then "Socket Hang up" error comes out. For example: port 51223 is dedicated port for some other service or connection. You cannot use same port (51223) for making a database connection on same server.
Your application was switched to https and your postman requests still had http in them. You can change postman to https to fix it.
Check if there is a VPN connection, if so, disconnect it.
Check if the version of postman is the latest version, this problem occurs in some versions.
Hope this can help you.
I have created an http server to receive post-hooks from git whenever a push event is issued (for the purpose of auto-deployement).
The problem is that when I add a Web hook to my repository , and when an event is triggered, the request cannot reach the server.
And I get the following error:
We had a problem connecting to the server.
The most common problem with these types of errors is a misconfigured SSL Certificate .
Any ideas?
By default, a GitHub WebHook would perform SSL certificate verification
(and disabling that verification is not a good idea)
Make sure your server has all intermediate CAs in its keystore, and debug your certificate using an SSL checker as mentioned in "Troubleshooting GitHub WebHooks SSL Verification".
Here's my setup
an IdentityServer 4 as a stateless reliable ASP.NET Core service.
a WebAPI as a reliable ASP.NET Core service.
using them with a JS client, it is now working with HTTP. The problem is with HTTPS. The WebAPI needs to request the openID config via htttps [is4URL].well-known/openid-configuration. I'm getting this error
System.InvalidOperationException: IDX10803: Unable to obtain
configuration from:
'https://localhost:9999/.well-known/openid-configuration'. --->
System.IO.IOException: IDX10804: Unable to retrieve document from:
'https://localhost:9999/.well-known/openid-configuration'. --->
System.Net.Http.HttpRequestException: An error occurred while sending
the request. ---> System.Net.WebException: The underlying connection
was closed: Could not establish trust relationship for the SSL/TLS
secure channel. --->
System.Security.Authentication.AuthenticationException: The remote
certificate is invalid according to the validation procedure.
can anybody help me to make this work in localhost with the SF Local Cluster Manager?
Thanks
Here's my two cents worth but it will need to be verified...
I am assuming that you have created a self-signed certificate using following article or similar but the certificate has same properties.
https://learn.microsoft.com/en-us/azure/app-service-web/web-sites-configure-ssl-certificate
This means that the certificate can not be verified via actual CA. Ofcourse with self-signed certificate this is not possible.
Now when you upload the certificate to Azure App Service it installs in CurrentUser - MyStore. With self-signed certificate, it also needs to be installed in LocalMachine Root store.
This is becouse then the machine's Certificate Authority can verify that certificate to be valid. (May be a security expert can correct me if I am wrong but thats my theory). I have got same setup on my locally hosted windows server where the self-signed certificate is installed in Root Certificate Store as well as Personal store and the app works. This is the reason I belive this happens.
So this part which needs to be verified. Following is the article which shows you how you can do this in Azure App service.
https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-configure-ssl-certificate-portal
AGAIN THIS IS JUST A THEORY THIS NEEDS TO BE VERIFIED. :)
EDIT:
I have just tested this and it is the case. In cloud services you can do as shown in second link above and create Web Job which install certificate in appropriate store.
For Azure App Service unfortunaltly you dont have access to root store. It has to be install in CurrentUser's personal store. Which means the self signed certificate will not work, and you have to purchase a real certificate. :( I think this is a real thumb down to Microsoft. Why should I need to pay for real certificate for my dev/test environment? (Rant Over)
For Service Fabric you will need to find out how to install certificate in Root Store as well as personal store (if thats possible at all). Here's Links that might be useful
http://ronaldwildenberg.com/running-an-azure-service-fabric-cluster-locally-on-ssl/
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-security-update-certs-azure
Hope this helps.
I have implemented a servlet to receive sms messages from Twilio; when someone replies to my twilio number. I have configured the server in twilio but I am getting ERROR 11220.
The servelet is in a AWS ec2 instance and is accessible via browser, JMeter. SSL Labs gave the servelet URL A+ rating. Not sure how come twilio can't reach it. I'm at a loss. Any tips on anything I can try would be greatly appreciated. Thanks.
TL/DR: Install (or have your server management company install) the full certificate chain that you got when you purchased the cert for your domain.
We ran into a similar issue with Twilio while using their faxing service; it gave the same error on callbacks.
More specifically, their event console (https://www.twilio.com/console/debugger) shows:
11200 - HTTP retrieval failure. In the details section it shows:
ErrorMessage: "Failed to fetch fax media from URL ... (Got status 502 trying to download media)"
Twilio_was_unable_to_fetch_content_from: ...
Error: _Connection_reset_by_peer_over_TLS, _assuming_that_this_is_a_handshake_failure
... SSL_Version:_TLSv1_2 URL_Fragment:_true
Twilio likely uses a Java library which, by default, has a set of certificates independent from the operating system's set of certificates.
All major browsers use their operating system's certificates, which is why you can see that the cert is valid in your browser. Services like SSL Labs that properly handle certs can also validate it.
Twilio could fix this by using their operating system's certificates or by keeping their certs up-to-date. Until such a time...
You have to work around the issue by installing the full certificate chain so that they can validate it. When you purchase a cert for your domain, they generally send the plain cert, as well as a full certificate chain bundle with all of the intermediate certificates. Installing the full chain should fix the issue.
Ever since moving an internal apex website from the embedded PL/SQL gateway to a weblogic server browsers throw certificate errors.
How can i get rid of these errors/fix the certificates?
Internet Explorer:
The security certificate presented by this website was not issued by
a trusted certificate authority. Security certificate problems may
indicate an attempt to fool you or intercept any data you send to the server
Chrome:
You attempted to reach sy02131.adt.com, but the server presented a
certificate issued by an entity that is not trusted by your computer's
operating system. This may mean that the server has generated its own
security credentials, which Google Chrome cannot rely on for identity
information, or an attacker may be trying to intercept your communications.
Out of the box, the embedded SQL gateway (EPG) uses no SSL. It looks like your Weblogic instance did or even requires SSL. It's probably using a set of starter keys that you're meant to replace. At any rate, your browser is causing this problem, not the server. You should be able to bypass this as a warning in the browser or add an exception. If you want this error to go away in production, get some proper SSL keys from a certificate authority.
Here is how to configure them once you get them:
http://docs.oracle.com/cd/E12840_01/wls/docs103/secmanage/ssl.html