Edge connection unsuccessful; the peer certificate cannot be authenticated with known CA certificates

oyamatakuro
Participant IV

Hello,

I would like to configure Dev Portal connection configuration with SSL Management API endpoint URL.
I am working with Edge for Private Cloud v4.17.01.01

The connection between Edge and Dev Portal is perfectly working with http.

But when I set Management API endpoint URL with SSL in Configuration >Dev Portal like:

https://<Edge IP address>:8443/v1

,and then test the connection, I get the following error.

Edge connection unsuccessful; the peer certificate cannot be authenticated with known CA certificates. This may occur if the system date is significantly skewed.

The sytem date should be OK and I guess the cause is because I am using self-signed certificated on Edge for the SSL configuration.

Do I need to let dev portal trust Edge? If yes, how can I do that?

Any help will be appreciated.

Solved Solved
2 12 1,770
1 ACCEPTED SOLUTION

The developer portal uses the Guzzle library to establish HTTP connections to the management API. This library ships with its own CA bundle for certificate validation, but that certificate bundle may be overridden. To do so, edit /opt/apigee/apigee-drupal-contrib/libraries/mgmt-api-php-sdk/vendor/guzzle/guzzle/src/Guzzle/Http/Client.php. On line 140, you will see this:

            $opts[CURLOPT_CAINFO] = __DIR__ . '/Resources/cacert.pem';

You can remove or comment (//) that line and replace it with the path of your internal CA certificate:

            $opts[CURLOPT_CAINFO] = '/opt/apigee/customer/server.crt';

I recommend storing your custom CA certificate in the /opt/apigee/customer directory, as that is a persistent path that will keep your site-specific data in one place and is guaranteed not to be touched on upgrade.

Once you have directed Guzzle to your custom CA certificate, you can use the "Test Connection" button in the developer portal UI to verify that your encrypted management API connection is working.

View solution in original post

12 REPLIES 12

@Christin Brown

Thank you for your answer.

The page you specified is configuring dev portal over SSL on apache.

In my case, the problem is portal cannot access to Edge Management API over SSL. Whether or not the dev portal itself is running over http or https probably does not matter.

I followed the steps described in "Configuring TLS between the portal and the Edge management API" on the URL below.

http://docs.apigee.com/developer-services/content/using-ssl-portal

The Edge management API over SSL is accessible by curl command with -k or --insecure option.

But the portal still cannot access Edge management API over SSL.

What layer is your tls configured? At the load balancer? Also, you configured to on both the mgmt server and DevPortal?

Maybe the self signed is not supported as of now. https://curl.haxx.se/libcurl/c/CURLOPT_CAPATH.html has to be mentioned for the self signed to work but I don't see a way to mention the path.

The error you see is from the below

case CURLE_SSL_CACERT:

$message = t('Edge connection unsuccessful; the peer certificate cannot be authenticated with known CA certificates. This may occur if the system date is significantly skewed.');

break;

@Maruti Chand

"Test Connection" from Configuration > Dev Portal on Developer Portal is internally using curl for the testing?

If yes, I understand that the self signed cert may be not supported at the moment.

5032-test-connection.png

@Paul Mibus pointed me to this https://community.apigee.com/articles/40305/how-to-specify-a-custom-certificate-for-dev-portal.html . @Takuro Oyama give it a try.

@Paul Mibus do you want to add your hack or easy ways to achieve this?

@Maruti Chand

That is a great information.

Thanks for the info!

@Christin Brown

I configured tls on Edge and dev portal itself(not on load balancer) both using self-signed certificate.

The developer portal uses the Guzzle library to establish HTTP connections to the management API. This library ships with its own CA bundle for certificate validation, but that certificate bundle may be overridden. To do so, edit /opt/apigee/apigee-drupal-contrib/libraries/mgmt-api-php-sdk/vendor/guzzle/guzzle/src/Guzzle/Http/Client.php. On line 140, you will see this:

            $opts[CURLOPT_CAINFO] = __DIR__ . '/Resources/cacert.pem';

You can remove or comment (//) that line and replace it with the path of your internal CA certificate:

            $opts[CURLOPT_CAINFO] = '/opt/apigee/customer/server.crt';

I recommend storing your custom CA certificate in the /opt/apigee/customer directory, as that is a persistent path that will keep your site-specific data in one place and is guaranteed not to be touched on upgrade.

Once you have directed Guzzle to your custom CA certificate, you can use the "Test Connection" button in the developer portal UI to verify that your encrypted management API connection is working.

@Paul Mibus

Thanks for the answer.

It works!

@Paul Mibus I have followed these steps in Apigee Devportal server. Now I am getting curl 77 error instead of curl 60 error.

Any idea how to fix this?

It looks like that error is:

curl: (77) Problem with the SSL CA cert (path? access rights?)

Can you check path existence, ownership, and permissions? If it's not that, it could be a problem with the format of the certificate. The certificate should be in standard PEM format without any special headers other than the start and end lines.