Virtual host creation/update failed due to keystore cert validation error

Not applicable

Just getting up and running with Apigee, and for reference we are using a paid plan.

I have successfully created a csr and a key as advised in the doc

https://community.apigee.com/articles/2770/how-to-create-a-private-key-and-generate-a-csr.html

which i used to get a certificate from a CA

I used the certificate with the key to create a keystore for the portal, testing the keystore confirms the certificate is correct. Pointing our domain to apigee now works for the portal. All good so far.

I then tried to use the same process to create a keystore for the dev / prod environment, which i did and tested, all confirming the certificate is fine

Then when i try to create a virtual host, using the keystore as above i get the error

Virtual host creation/update failed due to keystore cert validation error - Cert is invalid or cannot be not be trusted by java trust anchors or CAs.

Any advice about what i am doing wrong?

Many thanks

Solved Solved
0 5 3,326
1 ACCEPTED SOLUTION

rmishra
Participant V

Hello @James Askew

You need to correct the Certificate Chain in the Keystore referenced in your virtual host configuration.

The current error tells you that Apigee does not have a way to trust your server's certificate because the CA which signed the certificate is not a Trusted CA (pre installed/configured on your server)

One way to work around the problem is as follows:

Your goal would be to update all certs in a single PEM file (as shown below) and upload it through the UI/Management API

-----BEGIN CERTIFICATE----- 
(Your Primary TLS certificate) 
-----END CERTIFICATE----- 

-----BEGIN CERTIFICATE----- 
(Intermediate certificate)
 -----END CERTIFICATE----- 

-----BEGIN CERTIFICATE----- 
(Root certificate or intermediate certificate signed by a root certificate) -----END CERTIFICATE-----


For more details about Keystore creation, please refer the documentation at https://docs.apigee.com/api-platform/system-administration/creating-keystores-and-truststore-cloud-u...

When done successfully, you should be able to look through all the certs in the Management UI.

HTH

View solution in original post

5 REPLIES 5

rmishra
Participant V

Hello @James Askew

You need to correct the Certificate Chain in the Keystore referenced in your virtual host configuration.

The current error tells you that Apigee does not have a way to trust your server's certificate because the CA which signed the certificate is not a Trusted CA (pre installed/configured on your server)

One way to work around the problem is as follows:

Your goal would be to update all certs in a single PEM file (as shown below) and upload it through the UI/Management API

-----BEGIN CERTIFICATE----- 
(Your Primary TLS certificate) 
-----END CERTIFICATE----- 

-----BEGIN CERTIFICATE----- 
(Intermediate certificate)
 -----END CERTIFICATE----- 

-----BEGIN CERTIFICATE----- 
(Root certificate or intermediate certificate signed by a root certificate) -----END CERTIFICATE-----


For more details about Keystore creation, please refer the documentation at https://docs.apigee.com/api-platform/system-administration/creating-keystores-and-truststore-cloud-u...

When done successfully, you should be able to look through all the certs in the Management UI.

HTH

Many thanks for this, i used it to build the new certificate, tested it and all is fine, and in the virtual hosts the error changes to this domain is already in use - which makes sense, that subdomain was pointing to the portal already, so all should be fine to use a different certificate with a different sub domain to be pointing at the dev proxy and another for production proxy. - correct?

Only issue is that i have tried exactly the same process as above multiple times for a new subdomain and no matter what i do when i try to test the keystore / certificate i get the error

Invalid Truststore. Unable to find valid certification path to requested target

Any thoughts?

Just to be clear i am trying to make the url of our api through apigee to be

api.mydomain.com

replacing

myCompany-prod.apigee.net

Thanks!!

Thanks again for your help - This was indeed the answer to my question, the further issues i had was because the keystore test would not pass until i had created the virtual host & dns & reference first.

So the cert failed when creating the virtual host because of the above, but the testing of the cert failed because the virtual host was not set up!

Cheers

Glad it helped, sorry i had been away for a while and couldn't follow up.

pengdu30
Participant II
@James Askew

, @Rahul M

I'm able to create the keystore using the merged file, but I'm not able to create the virtual host although our DNS name has already been setup properly, reference was also created, but when create the virtual host I still got the same error: Virtual host creation/update failed due to keystore cert validation error. Cert is invalid or cannot be not be trusted by java trust anchors or CAs. The cert issued by corporate CA. Any other steps needed after the keystore created and before create the virtual host?