I am getting
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
while calling identity server endpoint from enterprise integrator, although we have generated the SSL certificate and it is imported in the truststore.jks but still getting this error.
While testing the connection it says Successfully connected to identity server but while calling the endpoint it gives SSL exception on the console.
Message = Going to send Request to IS.,MessageCode = null,ErrorMessage = null,ErrorDetail = null,ErrorException = null {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1] [] [2017-11-07 07:14:54,841] ERROR {org.apache.synapse.transport.passthru.TargetHandler} - I/O error: Received fatal alert: certificate_unknown {org.apache.synapse.transport.passthru.TargetHandler}
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
Try setting the truststore manually. Open wso2ei-6.1.1/bin/integrator.sh and add javax.net.ssl.trustStore like this.
-Dorg.wso2.ignoreHostnameVerification=true \
-Djavax.net.ssl.trustStore="$CARBON_HOME/repository/resources/security/client-truststore.jks"
org.wso2.carbon.bootstrap.Bootstrap $*
status=$?
done
I hope you found the issue. I faced the same problem some days ago, so I'm writing the solution for the record.
To solve this you need to import each product certificate in the truststore of the other.
Go to WSO2 EI and extract the certificate from wso2carbon.jks
Add the certificate to the client-truststore.jks file in the WSO2
IS
Go to WSO2 IS and extract the certificate from wso2carbon.jks
Add the certificate to the client-truststore.jks file in the WSO2
EI
We faced the same problem, when WSO2 IS version was prior to v5.4.0, but instead of extracting the certificate from wso2carbon.jks as Gabriel said, we extracted the certificates from the browser, opening the carbon console on both WSO2 EI and WSO2 IS. For some reason, the localhost certificate returned in the browser is different than the one stored in the wso2carbon.jks for WSO2 EI (tested on version 6.1.0 and 6.1.1). One reason could be that it's returning the localhost certificate from the JVM's keystore. That's why it's better to get it from the browser.
Open in browser https://localhost:9443/carbon of WOS2 IS. (Firefox: Click on locker in the address bar -> Connection -> details -> More Information -> Security tab -> view Certificate -> Details tab -> Export... -> save as X.509 Certificate (PEM); Chrome: click on Not Secure warning in address bar -> Certificate -> Details tab -> Copy to File ... -> Next -> Select the format -> Base-64 encoded X.509 (.CER) -> Next ...)
Import the certificate into {WSO2_IS_HOME}/repository/resources/security/client-truststore.jks. Eventually use KeyStore Explorer tool for easier way.
Open in browser https://localhost:9444/carbon of WOS2 IS (we have offset 1 for WSO2 IS) and do the same as at point 1.
Import the certificate into {WSO2_EI_HOME}/repository/resources/security/client-truststore.jks.
Related
I am getting below certification error while i am trying to call any API https://:8243/ from a react based frontend application. I have defined my rest API in wso2 EI 6.3. I am not using wso2 APIM.
What i did to resolve this issue:
1. I created a new self signed certificate and created a new key store. Updated carbon.xml, axis2.xml file. Restart the server. I am able to see my certificate in wso2 Ei GUI.
2. I accepted the certificate in browser.
But still i am not able to get rid of this error.
Is this error coming due to self signed certificate? If i will be using any CA signed certificate then this issue will not be there?
Any help or pointer is highly appreciated.
[2020-04-07 08:54:48,841] [-1] [] [HTTPS-Listener I/O dispatcher-2] ERROR {org.apache.synapse.transport.passthru.SourceHandler} - I/O error: Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1647)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1615)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1781)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1070)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:896)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:245)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:280)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:410)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:119)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:159)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:338)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:316)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:277)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:105)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:586)
at java.lang.Thread.run(Thread.java:748)
BR//
Vipin Nirwal
I was able to resolve this issue. I followed the below steps.
I created a self CA first. Then created a certificate signed by my own CA. Import the root certificate of my CA into the browser As this CA needs to be trusted by browser.
After this update carbon.xml, files inside axis2 directory and catalina-server.xml file with proper jks file and password for keystores.
Restarted the server.
You can try to debug it yourself by enabling SSL debug logs in the EI server. In the SSL logs, you can check whether the client certificate and the server certificate is matching. Have a look at the following blog.
https://medium.com/#nipunadilhara/enabling-ssl-debug-logs-for-wso2-products-30833d5de88e
I am trying to call a WSO2 API through https port 8243. However, when I make a call, the client app (web app) gets a 502 bad gateway error (which is logged inside WSO2 apim server carbon log file).
I see the exception below.
Please Note that, I have received a CA signed cert inside a jks from my networking team... I imported It through management console into keystore... I can view the company certs as well from the console:
TID: [-1] [] [2018-12-19 16:51:12,890] ERROR {org.apache.synapse.transport.passthru.SourceHandler} -
I/O error: Received fatal alert: unknown_ca {org.apache.synapse.transport.passthru.SourceHandler}
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
If you are trying to update the certificate of API Manager, importing the certificate to existing keystore will not work.
Please have a look at the documentation[1] on creating a keystore with a CA signed certificate when you create the new keystore with updated certificate.
The main keystore of WSO2 products is wso2carbon.jks file which holds private certificate entry. When you update the certificate with keystore you have to update all the configuration files listed in documentation[2] to refer to new keystore file and also you will have to update related properties(i.e: keystore password, key password, alias).
[1] https://docs.wso2.com/display/Carbon443/Creating+New+Keystores
[2] https://docs.wso2.com/display/Carbon443/Configuring+Keystores+in+WSO2+Products
I have done broker and client configuration on same node.
When ssl.client.auth=none it works fine but whenever I change that property to "required", ssl.client.auth=required and enabled security.inter.broker.protocol=SSL then it gives me an issue on producer side.
[2017-12-13 11:06:56,106] WARN Failed to send SSL Close message (org.apache.kafka.common.network.SslTransportLayer)
java.io.IOException: Connection reset by peer
at sun.nio.ch.FileDispatcherImpl.write0(Native Method)
at sun.nio.ch.SocketDispatcher.write(SocketDispatcher.java:47)
at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.java:93)
at sun.nio.ch.IOUtil.write(IOUtil.java:65)
at sun.nio.ch.SocketChannelImpl.write(SocketChannelImpl.java:471)
at org.apache.kafka.common.network.SslTransportLayer.flush(SslTransportLayer.java:194)
at org.apache.kafka.common.network.SslTransportLayer.close(SslTransportLayer.java:161)
at org.apache.kafka.common.network.KafkaChannel.close(KafkaChannel.java:45)
at org.apache.kafka.common.network.Selector.close(Selector.java:442)
at org.apache.kafka.common.network.Selector.poll(Selector.java:310)
at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:256)
at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:216)
at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:128)
at java.lang.Thread.run(Thread.java:745)
Any solution for this?
As mentioned in the comments, the answer was found by the asker:
Its resolved.This issue comes when signed certificate of the server
did not match with client keystore. We need to generate client
keystore and import the the signed certificate of the server to client
keystore.
Need your help in setting the SSL manager in Jmeter for performance testing with IBM datapower.
I tried the below steps to Add cert.
• Added (* .jks /*.p12 ) file in the jmeter GUI > Options > SSL Manager.
• I tried the setting the jks file in system.properties file too.
Path : *\jMETER\apache-jmeter-3.0\apache-jmeter-3.0\bin\system.properties
# Truststore properties (trusted certificates)
#javax.net.ssl.trustStore=/path/to/[jsse]cacerts
#javax.net.ssl.trustStorePassword
#javax.net.ssl.trustStoreProvider
#javax.net.ssl.trustStoreType [default = KeyStore.getDefaultType()]
# Keystore properties (client certificates)
# Location
javax.net.ssl.keyStore=****.jks -- Added
#
#The password to your keystore
javax.net.ssl.keyStorePassword=****-- Added
#
#javax.net.ssl.keyStoreProvider
#javax.net.ssl.keyStoreType [default = KeyStore.getDefaultType()]
I dont see the SSL handshake jMETER and datapower even after i followed ablove steps. Getting below error from datapower.
12:47:26 AM ssl error 51751363 10.123.98.73 0x806000ca valcred (###_CVC_Reverse_Server): SSL Proxy Profile '###_SSLPP_Reverse_Server': connection error: peer did not send a certificate
12:47:26 AM mpgw error 51751363 10.123.98.73 0x80e00161 source-https (###_HTTPS_FSH_CON_****): Request processing failed: Connection terminated before request headers read because of the connection error occurs, from URL: 10.123.98.73:58394
12:47:26 AM ssl error 51751363 10.123.98.73 0x8120002f sslproxy (####_SSLPP_Reverse_Server): SSL library error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
Can you please advice how to send the cert(.jks/ .p12) file from jmeter.
Change "Implementation" of your HTTP Request sampler(s) to Java. The fastest and the easiest way of doing this is using HTTP Request Defaults.
If you're using .p12 keystores you will need an extra line in the system.properties file like:
javax.net.ssl.keyStoreType=pkcs12
JMeter restart is required to pick the properties up.
See How to Set Your JMeter Load Test to Use Client Side Certificates article for more information.
I am receiving the following error while trying to connect my REST webservice using HTTP adapter in IBM Mobile First:
"errors": [
"Runtime: Http request failed: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty"
I am passing the user id and password in a base64 encoded format in the headers section of my input.
How do I resolve this error?
Yoel's answer got me on track: your adapter is doing an SSL request to a server that is not trusted by the keystore in your MobileFirst server.
You need to import in your server's keystore the certificate chain of the server that you are trying to reach. What I did was
From Firefox, export the certificate chain in PEM format (.crt extension).
In the server/conf folder of your project, import the certificate chain file. If you are using the defaults form the worklight.properties file, this will do it:
keytool --import -keystore default.keystore -storepass worklight -file remoteServer.crt
This bizarre message means that the truststore you specified was not
found, or couldn't be opened due to access permissions for example.
Quote from: Error - trustAnchors parameter must be non-empty
Author: #EJP
Similar question:
got java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty when using cas