Keystore error while performing Target Server SSL Test

I am working with nlsn-gracenote organization under Apigee's Nielsen account and having some trouble with testing the keystore.

I have a valid public facing certificate for "api.rsid.music.gracenote.com" which I have uploaded along with the private key to the keystore.

While testing this keystore, I see the following error:

6772-screen-shot-2018-04-17-at-45332-pm.png

"Invalid Truststore. Unable to find valid certification path to requested target"

Can someone help me resolve this?

Solved Solved
0 4 1,144
1 ACCEPTED SOLUTION

Turns out, I had uploaded the certificate in the form on PKCS7 file which is not supported by Apigee at the moment. The solution is to convert the PKCS7 to either PKCS12 or a PEM file and re-upload to the keystore.

Convert P7B to PEM:

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem

View solution in original post

4 REPLIES 4

rmishra
Participant V

If you are establishing one way TLS and Apigee is the client to api.rsid.music.gracenote.com, then your target server will not challenge Apigee for a cert. But Apigee will challenge your target server for a cert and will attempt to validate that cert against the CA's available in its truststore.

The error implies that when your target server presented a cert, apigee was unable to validate it against any of the known CA's.

This can be fixed by uploading the CA chain into the trust store you have referenced.

You should never upload the identity certs for your target server within Apigee. You use Apigee's target TLS keystore only when you enable 2 way TLS, the keystore in that case holds Apigee's identity cert(which it presents to the target server)

Hi rmishra, Thanks for the reply!

I understand and agree with what you said about 1 way TLS and 2 way TLS between Apigee and the Target Server.

By using Target Server SSL Test in the title, I might have caused the confusion here.

Let me clarify my question: I am actually trying to create a virtual host with the alias "api.rsid.music.gracenote.com" following the steps from the docs: https://docs.apigee.com/api-platform/fundamentals/configuring-virtual-hosts-cloud#creatingavirtualho...

For that I have created a CNAME that points to {my-org}-{env}.apigee.net. I have also uploaded the cert and key to the TLS keystore and I am trying to test it now. Thats when I get the error.

Also, not sure if its related to the above problem:

After the virtual host is created and configured, when trying to access the proxy following html error page is displayed:

6773-screen-shot-2018-04-17-at-80913-pm.png

<!DOCTYPE html> <html> <head> <title>Error</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>An error occurred.</h1> <p>Sorry, the page you are looking for is currently unavailable.<br/> Please try again later.</p> </body> </html>

Turns out, I had uploaded the certificate in the form on PKCS7 file which is not supported by Apigee at the moment. The solution is to convert the PKCS7 to either PKCS12 or a PEM file and re-upload to the keystore.

Convert P7B to PEM:

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem

Sorry, lost track of this thread. Glad you resolved it.