Re: Can't create new virtual host - create keystor...

jwill · 08-12-2022 04:24 AM

We just updated/created new certificates, uploaded them in the TLS Keystore and updated the corresponding references (Apigee Edge). Previously running virtual hosts (sub1.domain.com, sub2.domain.com) using existing references are working fine. The updated certificates validate fine with openssl and chrome on the virtual hosts domain .
The certificate is a wildcard certificate from let's encrypt, we uploaded the fullchain PEM and the private key.
Now we want to create a new virtual host for another subdomain (sub3.domain.com), but we receive the following error:

curl 'https://apigee.com/organizations/<my_org>/environments/test/virtualhosts' \
  -H 'Accept: application/json' \
  --data-raw '{"hostAliases":["sub3.domain.com"],"name":"my_vhost","port":"443","sSLInfo":{"enabled":"true","keyAlias":"domain.com","keyStore":"ref://domain.com","ignoreValidationErrors":false},"useBuiltInFreeTrialCert":false}' \


<< response status code 400
<< response body
{
  "code" : "messaging.config.beans.VirtualHostCACertValidationError",
  "message" : "Virtual host creation/update failed due to keystore cert validation error. Cert is invalid or cannot be trusted by java trust anchors or CAs",
  "contexts" : [ ]
}

Thanks for any help resolving this issue!

API-Evangelist

May be correct the Certificate Chain in the Keystore referenced in your virtual host configuration & looks like apigee does not have a way to trust your server's certificate because the CA which signed the certificate is not a Trusted CA.

May be follow below document & setup certs as per below documentation.

https://docs.apigee.com/api-platform/system-administration/creating-keystores-and-truststore-cloud-u...

Also sometimes dealing with virtual host also cause some issues with nginx configs /opt/nginx/conf.d and below document helps troubleshooting(refer first part).

https://docs.apigee.com/api-platform/troubleshoot/nginx/bad-config-files

jwill

Thanks for your reply! Actually we followed the docs to upload the fullchain and the uploaded certificates validate fine when we call an existing proxy endpoint (so CA should be fine I guess). Just in case we want to create a new virtual host with the uploaded certs we're getting this error which is kind of weird.

jwill

We found a workaround, but it is still unclear for me, why it did not work initially.

Our certificate chain file (as obtained from certbot) consists of three certificates in the following order:

Our certificate, signed by Let’s Encrypt R3
The Let’s Encrypt R3 certificate - https://letsencrypt.org/certs/lets-encrypt-r3.txt ) (91:2b:08:4a:cf:0c:18:a7:53:f6:d6:2e:25:a7:5f:5a)
ISRG Root X1 - https://letsencrypt.org/certs/isrg-root-x1-cross-signed.txt (40:01:77:21:37:d4:e9:42:b8:ee:76:aa:3c:64:0a:b7)

The ISRG Root X1 certificate is published in two flavors. Self-signed (by Let’s Encrypt) and cross-signed by DST Root CA X3, see https://letsencrypt.org/certificates/

If we exchange the ISRG Root X1 certificate from the cross-signed (which is used by default) to the self-signed version, the certificate chain is accepted by Apigee.

Why is the cross signed root certificate not accepted? Is that documented somewhere? I guess we are not the only ones using Apigee Edge with Let’sEncrypt certificates.

Can't create new virtual host - create keystore cert validation error