This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

VirtualHostCACertValidationError when adding virtual host

Posted on 11-06-2017 06:10 AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi,

I'm trying to add a virtual host with Apigee Edge but get the following error when executing the API call:

{
  "code": "messaging.config.beans.VirtualHostCACertValidationError",
  "message": "Virtual host creation/update failed due to keystore cert validation error. Cert is invalid or cannot be not be trusted by java trust anchors or CAs",
  "contexts": []
}

However, I am using a valid certificate and can succesfully test it from the keystore. Do you have any suggestions?

Cheers,
Justin

0 4 1,314
Topic Labels
0 Likes
Reply
4 REPLIES 4

Posted on --/--/---- --:-- AM
divyaachan
Staff
Reply posted on --/--/---- --:-- AM
@justinjanson

The error message indicates that Apigee is not able to validate the cert as the file uploaded just has the cert in it and not the entire CA chain. Could you check if the cert you uploaded is of the format as indicated in the following doc under section 'About the format of the cert and key files' :

https://docs.apigee.com/api-services/content/keystores-and-truststores

Reply

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

we are fqcing the same issue. is there any workaround?

We are not able to create with the freetrial keystore also. below is the error we are getting as response

{

  "code": "messaging.config.beans.VirtualHostAliasCertValidationError",
  "message": "Virtual host creation/update failed due to keystore cert validation error. Cert is invalid or cannot be not be trusted for host alias dev.api.xx.xx",
  "contexts": []
}
0 Likes
Reply

Posted on --/--/---- --:-- AM
rmishra
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I encountered this error today and came across this community post which does not have enough details to resolve the issue.

As the error suggests, this error may occur if your cert is invalid or if your cert is signed by a CA which is not Trusted by Java Trust anchors.

If your cert is valid, its likely a CA trust issue : Concatenate your domain cert and all CA Certs into a single file, with the Root CA being the last Cert . Now upload this single file into the keystore and the problem should go away.

Reply

Posted on --/--/---- --:-- AM
dave_pickard
New Member
In response to rmishra
Reply posted on --/--/---- --:-- AM

Key for me was order of CA certs. When generating pfx file with openssl the top level CA must be first -certfile listed, then work through the chain in order.

0 Likes
Reply