Changes for page Unable to find valid certification path
                  Last modified by Erik Bakker on 2024/09/03 13:24
              
      
      From version  32.1 
    
    
              edited by Erik Bakker
        
on 2022/06/13 16:05
     on 2022/06/13 16:05
      Change comment:
              There is no comment for this version
          
         Summary
- 
          Page properties (2 modified, 0 added, 0 removed)
- 
          Attachments (0 modified, 0 added, 5 removed)- rca-knowledgebase-unable-to-find-valid-certification-path--errors-in-emagiz-part-one.png
- rca-knowledgebase-unable-to-find-valid-certification-path--errors-in-emagiz-part-two.png
- rca-knowledgebase-unable-to-find-valid-certification-path--postman-ssl-verification-on-configured-cert.png
- rca-knowledgebase-unable-to-find-valid-certification-path--postman-ssl-verification-on.png
- rca-knowledgebase-unable-to-find-valid-certification-path--truststore-config-and-emagiz-config.png
 
Details
- Page properties
- 
      - Parent
-   ... ... @@ -1,1 +1,1 @@ 1 -WebHome 1 +xwiki:Main.eMagiz Support.RCA Knowledge Base.rca-knowledgebase-runtime-issues.WebHome 
- Content
-   ... ... @@ -1,23 +1,19 @@ 1 1 {{container}}{{container layoutStyle="columns"}}((( 2 -= Unable to find valid certification path = 3 - 4 4 In this document, we will use the information from the actual root cause analysis to make a generic view that can be used if you run into the same or a similar problem in the future. Finally, the document will describe the situation, the problem, the analysis, and the result. 5 5 6 6 Should you have any questions, please get in touch with academy@emagiz.com. 7 7 8 -== 3.Unable to find valid certificationpath==6 +== 1. Situation == 9 9 10 -=== 3.1 Situation === 11 - 12 12 On a specific working day, a connection between eMagiz and an external REST service broke down due to errors related to certificate problems. The external party updated the trusted certificates, but they did not notify the client team working on the eMagiz solution. 13 13 14 -== =3.2 Problem ===10 +== 2. Problem == 15 15 16 16 As a result of these actions, no data could be supplied to the system before the problem was resolved. 17 17 18 -== =3.3Analysis ===14 +== 3. Analysis == 19 19 20 -=== =3.3.1 Errors in eMagiz ====16 +=== 3.1 Errors in eMagiz === 21 21 22 22 To analyze the problem, we first looked at the errors within the environment to get a sense of the issue at hand. See below for the errors we saw. 23 23 ... ... @@ -25,7 +25,7 @@ 25 25 26 26 [[image:Main.Images.RCA-Knowledgebase.WebHome@rca-knowledgebase-unable-to-find-valid-certification-path--errors-in-emagiz-part-two.png]] 27 27 28 -=== =3.3.2 Call endpoint in Postman with SSL verification on ====24 +=== 3.2 Call endpoint in Postman with SSL verification on === 29 29 30 30 Secondly, we navigated to the endpoint via the browser to determine the certificate chain of the external party. Once we had established the certificate chain, we tested the connection via Postman. 31 31 When calling the external application with SSL verification turned on but no Certificates configured, we get the below error. This indicates that Postman does not trust the external party enough to establish a proper connection. ... ... @@ -36,13 +36,13 @@ 36 36 37 37 [[image:Main.Images.RCA-Knowledgebase.WebHome@rca-knowledgebase-unable-to-find-valid-certification-path--postman-ssl-verification-on-configured-cert.png]] 38 38 39 -=== =3.3.3Truststore configuration and configuration in eMagiz ====35 +=== 3.3 Truststore configuration and configuration in eMagiz === 40 40 41 41 With these results, we have added the intermediate and the CA certificate to a custom truststore for the external party and linked the truststore to the HTTP outbound gateway. 42 42 43 43 [[image:Main.Images.RCA-Knowledgebase.WebHome@rca-knowledgebase-unable-to-find-valid-certification-path--truststore-config-and-emagiz-config.png]] 44 44 45 -== =3.4 Result ===41 +== 4. Result == 46 46 47 47 The analysis concluded that there is a mismatch between the certificates used at the external party and those on default trusted by various software parties (including Java). The best course of action would be to use a certificate structure in which the entire certificate chain (intermediate and CA) is trusted adequately on default. This removes the need for custom configuration in the form of a custom truststore that needs to be managed at the eMagiz side and updated every time the external parties certificate changes. 48 48 
 
- rca-knowledgebase-unable-to-find-valid-certification-path--errors-in-emagiz-part-one.png
-   - Author
-   ... ... @@ -1,1 +1,0 @@ 1 -XWiki.marijn 
- Size
-   ... ... @@ -1,1 +1,0 @@ 1 -16.4 KB 
- Content
 
- rca-knowledgebase-unable-to-find-valid-certification-path--errors-in-emagiz-part-two.png
-   - Author
-   ... ... @@ -1,1 +1,0 @@ 1 -XWiki.marijn 
- Size
-   ... ... @@ -1,1 +1,0 @@ 1 -14.9 KB 
- Content
 
- rca-knowledgebase-unable-to-find-valid-certification-path--postman-ssl-verification-on-configured-cert.png
-   - Author
-   ... ... @@ -1,1 +1,0 @@ 1 -XWiki.marijn 
- Size
-   ... ... @@ -1,1 +1,0 @@ 1 -24.4 KB 
- Content
 
- rca-knowledgebase-unable-to-find-valid-certification-path--postman-ssl-verification-on.png
-   - Author
-   ... ... @@ -1,1 +1,0 @@ 1 -XWiki.marijn 
- Size
-   ... ... @@ -1,1 +1,0 @@ 1 -55.6 KB 
- Content
 
- rca-knowledgebase-unable-to-find-valid-certification-path--truststore-config-and-emagiz-config.png
-   - Author
-   ... ... @@ -1,1 +1,0 @@ 1 -XWiki.marijn 
- Size
-   ... ... @@ -1,1 +1,0 @@ 1 -27.0 KB 
- Content
 
