Verify Edge Micro Install errors on SSL cert

kkleva
Participant V

Hello,

I've been struggling with this issue setting up Apigee Edge Microgateway I'm figuring others may have likely overcome. I'm working with a the Apigee Edge Cloud that has been configured to use a HTTPS cert.

Following the guide after running the verify command it seems to run into an issue because our SSL certificate is using our real domain but Edge Micro may be expecting to use our apigee.net hostname. Is there a way to configure this so it works with our real domain?

Please advise. Thanks!

edgemicro verify -o myorg -e dev -k somekey -s somesecret
 

Output:

edge micro agent listening on 9000
warning: jwt_public_key download from https://myorg-dev.apigee.net/edgemicro-auth/publicKey returned { [Error: Hostname/IP doesn't match certificate's altnames: "Host: myorg-dev.apigee.net. is not in the cert's altnames: DNS:dev.api.mydomain.com"]
reason: 'Host: myorg-dev.apigee.net. is not in the cert\'s altnames: DNS:dev.api.mydomain.com',


Solved Solved
0 14 1,948
2 ACCEPTED SOLUTIONS

kkleva
Participant V

I tried a few more things by reviewing the output and trying a fresh install. Also, even though it's not explictly in the setup documentation I went ahead and added the edgemicro_weather and setup an API product. Finally, to get the jwt_public_key to download I needed to add the 'https_vhost' to the edgemicro-auth proxy xml.

 <HTTPProxyConnection>
        <BasePath>/edgemicro-auth</BasePath>
        <Properties/>
        <VirtualHost>default</VirtualHost>
        <VirtualHost>secure</VirtualHost>
        <VirtualHost>https_vhost</VirtualHost>
    </HTTPProxyConnection>

After all this it seems like I get more 200 in the first few checks but still fails on some of the final requests.

ℹ edge micro agent listening on 9000
info: jwt_public_key download from https://myorg-dev.apigee.net/edgemicro-auth/publicKey returned 200 OK 
info: products download from https://myorg-dev.apigee.net/edgemicro-auth/products returned 200 OK 
info: config download from https://edgemicroservices-us-east-1.apigee.net/edgemicro/bootstrap/organization/myorg/environment/de... returned 200 OK 
downloaded proxies [ { apiProxyName: 'edgemicro_weather',
    revision: '1',
    proxyEndpoint: { name: 'default', basePath: '/weather' },
    targetEndpoint: { name: 'default', url: 'https://weather.yahooapis.com' } } ]
downloaded products [ { apiResources: [],
    approvalType: 'manual',
    attributes: 
     .... (lot of json)
downloaded jwt_public_key (log key)
verifying analytics negative case: OK
/Applications/apigee-edge-micro-1.1.0/gateway/lib/logging.js:24
 testLogFile = fs.createWriteStream('test.log', { flags: 'w', mode: 0o0600, en
                                                                    ^
SyntaxError: Unexpected token ILLEGAL
    at exports.runInThisContext (vm.js:73:16)
    at Module._compile (module.js:443:25)
    at Object.Module._extensions..js (module.js:478:10)
    at Module.load (module.js:355:32)
    at Function.Module._load (module.js:310:12)
    at Module.require (module.js:365:17)
    at require (module.js:384:17)
    at Object.start (/Applications/apigee-edge-micro-1.1.0/gateway/lib/gateway.js:32:16)
    at Object.start (/Applications/apigee-edge-micro-1.1.0/gateway/lib/monitor.js:86:15)
    at processMessage (/Applications/apigee-edge-micro-1.1.0/gateway/lib/monitor.js:58:32)
verifying bootstrap url availability:OK
verifying jwt_public_key availability: OK
verifying quota with configured products: OK
verifying analytics with payload: OK
[ { pid: 26750,
    uid: 'MwMg',
    running: true,
    restarts: 1,
    since: '2015-12-21T20:37:21.308Z' } ]
MwMg on restart


assert.js:86
  throw new assert.AssertionError({
        ^
AssertionError: true == false
    at Request._callback (/Applications/apigee-edge-micro-1.1.0/cli/bin/edgemicro:745:18)
    at Request.self.callback (/Applications/apigee-edge-micro-1.1.0/cli/node_modules/request/request.js:198:22)
    at Request.emit (events.js:110:17)
    at Request.<anonymous> (/Applications/apigee-edge-micro-1.1.0/cli/node_modules/request/request.js:1082:10)
    at Request.emit (events.js:129:20)
    at IncomingMessage.<anonymous> (/Applications/apigee-edge-micro-1.1.0/cli/node_modules/request/request.js:1009:12)
    at IncomingMessage.emit (events.js:129:20)
    at _stream_readable.js:908:16
    at process._tickCallback (node.js:355:11)

View solution in original post

kkleva
Participant V

Updated node to v4.2.3 and updated domain in default.yaml.

Every seems to validate cleanly now. So in summary what I needed to do was.

#1 Make sure to have node v4.2.3

#2 export NODE_TLS_REJECT_UNAUTHORIZED=0

#3 Update proxy to include VirtualHost>https_vhost

#4 Update entry in jwt_public_key to point to our own domain

I'll work over the rest of the steps in the guide and let you know if I run into any more blockers

View solution in original post

14 REPLIES 14

sarthak
Participant V

@Kristopher Kleva

I recently ran into this and followed the instructions here: http://stackoverflow.com/questions/10888610/ignore-invalid-self-signed-ssl-certificate-in-node-js-wi...

Basically I did:

 export NODE_TLS_REJECT_UNAUTHORIZED=0

I gave that a try with no luck. I seem to get a 404 not found when attempting to call the publicKey resource even though it's been deployed.

edgemicro verify -o myorg -e dev -k somekey -s somesecret

ℹ edge micro agent listening on 9000

warning: jwt_public_key download from https://myorg-dev.apigee.net/edgemicro-auth/publicKey returned 404 Not Found 

warning: error downloading config, please check bootstrap configuration [Error: Not Found]

warning: no edge micro proxies found in org

warning: no products found in org

I did a fresh reinstall. And run the configure command again after making the above changes. Did you do that?

I did... but will start from scratch again.

prabhat
Participant V

Kristopher, looks like you have some custom cert and virtualhost etc. Can you try following? Another customer had similar situation which 'edgemicro configure' currently don't assume.

In you agent/config/default.yaml, pls change https://myorg-dev.apigee.net/edgemicro-auth/publicKey to https://your-domain-name/edgemicro-auth/publicKey assuming 'curl https://your-domain-name/edgemicro-auth/publicKey' works.

kkleva
Participant V

I tried a few more things by reviewing the output and trying a fresh install. Also, even though it's not explictly in the setup documentation I went ahead and added the edgemicro_weather and setup an API product. Finally, to get the jwt_public_key to download I needed to add the 'https_vhost' to the edgemicro-auth proxy xml.

 <HTTPProxyConnection>
        <BasePath>/edgemicro-auth</BasePath>
        <Properties/>
        <VirtualHost>default</VirtualHost>
        <VirtualHost>secure</VirtualHost>
        <VirtualHost>https_vhost</VirtualHost>
    </HTTPProxyConnection>

After all this it seems like I get more 200 in the first few checks but still fails on some of the final requests.

ℹ edge micro agent listening on 9000
info: jwt_public_key download from https://myorg-dev.apigee.net/edgemicro-auth/publicKey returned 200 OK 
info: products download from https://myorg-dev.apigee.net/edgemicro-auth/products returned 200 OK 
info: config download from https://edgemicroservices-us-east-1.apigee.net/edgemicro/bootstrap/organization/myorg/environment/de... returned 200 OK 
downloaded proxies [ { apiProxyName: 'edgemicro_weather',
    revision: '1',
    proxyEndpoint: { name: 'default', basePath: '/weather' },
    targetEndpoint: { name: 'default', url: 'https://weather.yahooapis.com' } } ]
downloaded products [ { apiResources: [],
    approvalType: 'manual',
    attributes: 
     .... (lot of json)
downloaded jwt_public_key (log key)
verifying analytics negative case: OK
/Applications/apigee-edge-micro-1.1.0/gateway/lib/logging.js:24
 testLogFile = fs.createWriteStream('test.log', { flags: 'w', mode: 0o0600, en
                                                                    ^
SyntaxError: Unexpected token ILLEGAL
    at exports.runInThisContext (vm.js:73:16)
    at Module._compile (module.js:443:25)
    at Object.Module._extensions..js (module.js:478:10)
    at Module.load (module.js:355:32)
    at Function.Module._load (module.js:310:12)
    at Module.require (module.js:365:17)
    at require (module.js:384:17)
    at Object.start (/Applications/apigee-edge-micro-1.1.0/gateway/lib/gateway.js:32:16)
    at Object.start (/Applications/apigee-edge-micro-1.1.0/gateway/lib/monitor.js:86:15)
    at processMessage (/Applications/apigee-edge-micro-1.1.0/gateway/lib/monitor.js:58:32)
verifying bootstrap url availability:OK
verifying jwt_public_key availability: OK
verifying quota with configured products: OK
verifying analytics with payload: OK
[ { pid: 26750,
    uid: 'MwMg',
    running: true,
    restarts: 1,
    since: '2015-12-21T20:37:21.308Z' } ]
MwMg on restart


assert.js:86
  throw new assert.AssertionError({
        ^
AssertionError: true == false
    at Request._callback (/Applications/apigee-edge-micro-1.1.0/cli/bin/edgemicro:745:18)
    at Request.self.callback (/Applications/apigee-edge-micro-1.1.0/cli/node_modules/request/request.js:198:22)
    at Request.emit (events.js:110:17)
    at Request.<anonymous> (/Applications/apigee-edge-micro-1.1.0/cli/node_modules/request/request.js:1082:10)
    at Request.emit (events.js:129:20)
    at IncomingMessage.<anonymous> (/Applications/apigee-edge-micro-1.1.0/cli/node_modules/request/request.js:1009:12)
    at IncomingMessage.emit (events.js:129:20)
    at _stream_readable.js:908:16
    at process._tickCallback (node.js:355:11)

prabhat
Participant V

You have wrong node version. Doc should say it as part of prereq. You need node v4.2.x. It wont work with v0.10 or v0.12.

kkleva
Participant V

Updated node to v4.2.3 and updated domain in default.yaml.

Every seems to validate cleanly now. So in summary what I needed to do was.

#1 Make sure to have node v4.2.3

#2 export NODE_TLS_REJECT_UNAUTHORIZED=0

#3 Update proxy to include VirtualHost>https_vhost

#4 Update entry in jwt_public_key to point to our own domain

I'll work over the rest of the steps in the guide and let you know if I run into any more blockers

Thanks and Awesome. I am glad you are back to trying EM again. 🙂 I think with what you did in #4, #2 may not be needed.

I think your correct. All is well now. One last question. If now wanted to replicate this across multiple servers would I need to redo the entire installation or just copy what I have?

Copying entire installation should be fine. Something which we wanted. Have devs configure it on their workstation and move to prod.

Not applicable

@Geir Sjurseth

@pdani

We are trying to setup edge microgateway v2.0.0 and facing an issue during config step. We have deployed a custom SSL certificate on edge and created a new VHOST(customdomain.com).

While running the edgemicro config command, it throws the below error.

edgemicro configure -o customdomain -e test -u xxxx@customdomain.com

[Error: Hostname/IP doesn't match certificate's altnames: "Host: customdomain.apigee.net. is not in the cert's altnames: DNS:customdomain.com"]

The egdemicro config command seems to use the Org and Environment names to connect to edge to configure microgateway and uses *.apigee.net domain.

We have tried changing the domain name in config/default.yaml file to use the new domain name instead of apigee.net as suggested in the below community post.

https://community.apigee.com/questions/14877/verify-edge-micro-install-errors-on-ssl-cert.html

After changing the domain name, it throws the below error. Seems it is expecting *.apigee.net domain at some point during the micro gateway configuration.

[Error: Hostname/IP doesn't match certificate's altnames: "Host: customdomain.com. is not in the cert's altnames: DNS:*.apigee.net, DNS:apigee.net"] reason: 'Host: customdomain.com. is not in the cert\'s altnames: DNS:*.apigee.net, DNS:apigee.net'

Could you help us with resolving this domain issue or provide details on configuring micro gateway with a custom domain?

Not applicable

I know you can provide a separate virtualhost-name at configure time... if you do that instead does it work then?

/geir

We did try that but it didnt work...

/raghav