Error connecting to SSL enabled backend service

Report Inappropriate Content · 10-18-2016 10:07 AM

Hi all

I am currently having problems connecting to an https service via my microgateway instance (running Node v4.6.0). The SSL certificates used by the service is issued by our internal CA

Whenever a request is made, the Microgateway responds with the following:

{"message":"unable to get local issuer certificate","code":"UNABLE_TO_GET_ISSUER_CERT_LOCALLY"}

I've added the certs for our internal CA to the server running the microgateway and a curl happily accesses the service directly.

I've also tried directly pointing Node to the certificates using the following but the outcome remains the same.

npm config set cafile /etc/ssl/certs/ca-certificates.crt

Any suggestions?

Thanks

David

Former Community Member

@David Silcott

Did you setup the config.yaml file as described here? http://docs.apigee.com/microgateway/latest/edge-microgateway-operations#usingclientssltlsoptions

Report Inappropriate Content

@Srinandan Sridhar

Somehow I missed that! I will have a go and let you know my progress.

Report Inappropriate Content

@Srinandan Sridhar

I had to park this for a while. Now I am back this time using version 2.3.1 of the microgateway and the problems are the same. The microgateway happily talks to services signed by public CAs however services signed by our internal CAs still do not work.

According to the documentation http://docs.apigee.com/microgateway/latest/operation-and-configuration-reference-edge-microgateway#c... , specifying the ca option in the client block should have resolved this.

Thoughts?

Former Community Member

What error do you get @David Silcott?

Report Inappropriate Content

@Srinandan Sridhar I get the following response when I run curl -i using a valid bearer token. If the proxy is configured to point a service signed by a public CA it goes through with no issue

HTTP/1.1 502 Bad Gateway
Date: Thu, 05 Jan 2017 15:58:17 GMT
Connection: keep-alive
Content-Length: 95


{"message":"unable to get local issuer certificate","code":"UNABLE_TO_GET_ISSUER_CERT_LOCALLY"}

Former Community Member

A temporary solution is to set

rejectUnauthorized:false

in the configuration file while we investigate the problem. Are you still setting the "npm config"? Also, what platform are you trying on?

Report Inappropriate Content

Hi @Srinandan Sridhar My targets block is as below

  targets:
    host: 'internal.service.mycompany.com'
    ssl:
      client:
        key: /certs/client.key
        cert: /certs/client.crt
        ca: /certs/ca-certificates.crt
        rejectUnauthorized: false

No, I am no longer setting "npm config"

I am currently running the microgateway in a Docker container built from a Docker file based on https://github.com/kevinswiber/apigee-edgemicro-docker/blob/master/Dockerfile

FROM mhart/alpine-node:6.9.2


RUN apk --update add openssl ca-certificates && \
    rm -rf /var/cache/apk/* /tmp/*


COPY ./internal-certs/ /usr/local/share/ca-certificates/
COPY ./apigee-edgemicro/configure.sh /usr/bin/local/configure.sh


RUN chmod +x /usr/bin/local/configure.sh && update-ca-certificates


RUN npm install -g edgemicro@2.3.1


EXPOSE 8000


CMD ["edgemicro", "start"]