SSL handshake failing

sarthak
Participant V

I am trying to build a 2 way SSL between Apigee and backend. And I am seeing the error like this:

{fault: 
{faultstring: "SSL Handshake failed sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
detail: 
{errorcode: "messaging.adaptors.http.flow.SslHandshakeFailed"
}
}
}

I believe I have configured the certs and truststores properly.

Any pointers on what I might be missing or what I can do to further debug?

1 7 3,960
7 REPLIES 7

A starting point is to verify the SSL connection and certs using curl. Looks like a missing parent cert in chain of certs.

Not applicable

Hi @Madhan Sadasivam

Not sure if I got your point, do you mean like showcerts using openssl?

I m trying out apigee edge on cloud and testing 2way-ssl, where apigee is client and my server which is in dmz is backend/target server.

My backend server cert is symantec/versign issued, which i have added on apigee truststore. I ran tcpdump on backend server and dont see any calls coming at all from apigee edge. However i see this pkix error, and i agree its a missing cert and causing trust issues. Not sure if edge is failing to trust the verisign. Is there a way to enable ssl-debug kind on apigee edge cloud?

below is the snippet i m using, anything missing or wrong.

<SSLInfo> <Enabled>true</Enabled> <ClientAuthEnabled>true</ClientAuthEnabled> <KeyStore>affinionStore</KeyStore> <KeyAlias>apigee-poc</KeyAlias> <TrustStore>agTruststore-twoway</TrustStore> </SSLInfo> <URL>https://x/api/poc/v1/clientsslauth</URL> </HTTPTargetConnection>

I added my server & CA certs to agTruststore-twoway.

Client-ssl key-pair to affinionStore

To eliminate any issues in the certs or connectivity, using a command line tool like "curl" will help. You can try this from your laptop. If it is the cloud instance of Apigee, using curl to hit the backend server from outside your firewall will be a good test.

Are there any intermediate certs in the cert chain ? If so are they added as per Apigee doc.

Not applicable

This got resolved after removing <TrustStore>agTruststore-twoway</TrustStore> not sure why though.

anshul_
Participant IV

Hi @Kranthi Rachakonda,

Removing the TrustStore has not resolved the issue but has just avoided it, as now the server certificates are not being verified by Edge anymore.

In case of certificate chain do make sure, that you have to combine all of the certs into a single PEM file. The certs have to be in order and the last cert must be a root certificate or an intermediate cert signed by a root certificate:

-----BEGIN CERTIFICATE-----

(YourPrimary TLS certificate)

-----END CERTIFICATE----

------BEGIN CERTIFICATE-----

(Intermediate certificate)

-----END CERTIFICATE----

------BEGIN CERTIFICATE-----

(Root certificate or intermediate certificate signed by a root certificate)

-----END CERTIFICATE-----

You can fetch the certificates, which are configured for this particular trust store, by calling the management API call mentioned here: http://docs.apigee.com/management/apis/get/organizations/%7Borg_name%7D/environments/%7Benv_name%7D/...

If you are sure that the all the certificates are configured properly then I would suggest to raise a support ticket, as very recently I faced the exactly same issue even when all the TrustStore certificates were correctly configured. Then, it was fixed by Apigee Support as some configuration went wrong on the message processors.

dilip
Participant I

Yes , I am facing the same issue , while removing Truststore from target , my issue got resolved

@sarthak and @Dilip Tiwari,

The error "unable to find valid certification path to requested target" indicates that you don't have the certificate that matches the Server's certificate in the Message Processor's truststore.

You can run the openssl command to get the Server's complete certificate chain

openssl s_client -connect <targerserver-hostalias>:<port#> -showcerts

If you get any error with the above command, then you may need to pass the servername as follows:

openssl s_client -connect <targetserver-hostalias>:<port#> -servername <targetserver-hostalias> -showcerts

Then check if you have this certificate in the truststore using Edge UI or management API. The issue would be caused because the correct certificate does not exist in the truststore.

Get the complete Server certificate chain and upload it to the Truststore.

This should help resolve the issue.

Note: It is recommended to use references for Keystore and Truststore.