Author |
Message
|
Adel_PFS_2019 |
Posted: Wed Feb 09, 2022 2:50 pm Post subject: certificateexpiredexception, but certificate is not expired |
|
|
Newbie
Joined: 07 Aug 2019 Posts: 7
|
we are running IIB 9.0.0.2, i'm tring to make HTTPs request using the HTTPRequest Node, on the run time i recieve the following error
Quote: |
CertificateExpiredException: NotAfter: Fri Apr 16 13:52:20 EET 2021' (CHARACTER)
|
i exported the server side certificate which is CA trusted, and added it to the broker trusted keyStore located in 'brokerTruststoreFile'.
the actual expiry date is 16-APR-2022, i can see that in keytool -list command, in the browser or even in Postman.
my question is, what could be the reason IIB node sees that the certificate is expired while it's not? |
|
Back to top |
|
 |
abhi_thri |
Posted: Thu Feb 10, 2022 2:15 am Post subject: Re: certificateexpiredexception, but certificate is not expi |
|
|
 Knight
Joined: 17 Jul 2017 Posts: 516 Location: UK
|
Adel_PFS_2019 wrote: |
what could be the reason IIB node sees that the certificate is expired while it's not? |
hi...could it be that the truststore still includes the old CA certificate? you can check this by exporting the truststore details to a file using keytool,
eg:-
Code: |
keytool -list -v -keystore <truststore.jks path> -storetype jks -storepass <passwor> > /tmp/truststore.txt |
|
|
Back to top |
|
 |
Adel_PFS_2019 |
Posted: Thu Feb 10, 2022 5:29 am Post subject: |
|
|
Newbie
Joined: 07 Aug 2019 Posts: 7
|
Hello abhi_thri, i tried keytool -list and found only the certificate i'm interested in, actually i don't have any certificate to expire in 2021,
what is really weird to me, that the error gives one year exactly before the expiry date!
I think IIB dosen't even look at the expiry date in the trusted keystore certificate.
but why google chrome and Postman shows that the domain is secured and there is no problem? |
|
Back to top |
|
 |
Armageddon123 |
Posted: Thu Feb 10, 2022 5:39 am Post subject: |
|
|
Acolyte
Joined: 11 Feb 2014 Posts: 61
|
Google chrome or postman shows you the certificate at the service side
.
Most probable reason is - you updated the truststore jks file at a path different from what is configured at IIB config. Verify with mqsireportproperties , where exactly is your relevant store file. |
|
Back to top |
|
 |
Adel_PFS_2019 |
Posted: Thu Feb 10, 2022 7:42 am Post subject: |
|
|
Newbie
Joined: 07 Aug 2019 Posts: 7
|
Hi Armageddon123,
certificate is added to the keystore in field brokerTruststoreFile of the command
Code: |
mqsireportproperties broker -o BrokerRegistry -r
|
i tried before adding it and had SSLHandshke failure.
that's why i'm wondring where dose IIB get this 2021 from [/b] |
|
Back to top |
|
 |
abhi_thri |
Posted: Thu Feb 10, 2022 12:31 pm Post subject: |
|
|
 Knight
Joined: 17 Jul 2017 Posts: 516 Location: UK
|
Adel_PFS_2019 wrote: |
i tried before adding it and had SSLHandshke failure.
|
hi...if it was failing with SSLHandshake error prior to adding the certificate that suggests that Broker is reading 2021 from the certifcate somehow. Is it just the CA certificate which was added to the truststore or some Intermediate ones as well...worth crosschecking whether any got expiry date as 2021.
Also what happens if you remove the added certificates...are you able to recreate the SSLHandshake error?
When you list the newly added certificate using keytool what expiry date is it showing?
You could also collect the JSSE trace and see that shows anything interesting...https://www.ibm.com/support/pages/collecting-jsse-trace-ibm-integration-bus
Any specific reason on staying on the older fixpack level of 9002 instead of more recent one...worth checking whether there is any known issue in this area which got fixed in the later fixpack. |
|
Back to top |
|
 |
Adel_PFS_2019 |
Posted: Sat Feb 12, 2022 2:05 am Post subject: |
|
|
Newbie
Joined: 07 Aug 2019 Posts: 7
|
abhi_thri wrote: |
Is it just the CA certificate which was added to the truststore or some Intermediate ones as well...worth crosschecking whether any got expiry date as 2021.
Also what happens if you remove the added certificates...are you able to recreate the SSLHandshake error?
When you list the newly added certificate using keytool what expiry date is it showing? |
Hi,
Here are the certifiacation path with expiry date for each
Code: |
Go Daddy Class 2 Certification Authority (4) expires at 2034
Go Daddy Root Certificate Authority (3) expires at 2031
Go Daddy Secure Certificate Authority (2) expires at 2031
*.xyz.com (1) expires at APR 16 2022 |
i tried the following cases,
Code: |
truststore [(1)] (contains only the leaf Cert) gives SSLHandshake CertPathValidatorException
truststore [(1), (2), (3)] gives CertificateExpiredException
truststore [(2), (3)] gives CertificateExpiredException
truststore [(3)] gives CertificateExpiredException
truststore [(4)] gives CertificateExpiredException |
abhi_thri wrote: |
You could also collect the JSSE trace and see that shows anything interesting...https://www.ibm.com/support/pages/collecting-jsse-trace-ibm-integration-bus |
JSSE trace was a good hint, now i can see what was just thoughts before,
i tried with a truststore of [(4)] only and here is what i found
under *** ServerHello, TLSv1.2, the chain starts with a certificate with CN=*.xyz.com same as (1), remember i didn't add (1) in the truststore
but with our magically expiry date 2021
at chain[1] we have (2) and chain[2] with (3) all with same expiration dates as above. and in the end, our lovely CertificateExpiredException error
now it looks like IIB graps the chain on the ServerHello step from the server side, with a certificate that expires at 2021
i'd believe that the domain has a problem with their certificate and it's a server side issue, but i can see Google chrome marked the domain as trusted and Postman did the same thing!
now, why chrome graps the updated Cert while IIB graps the expired one, and how to fix that?
abhi_thri wrote: |
Any specific reason on staying on the older fixpack level of 9002 instead of more recent one...worth checking whether there is any known issue in this area which got fixed in the later fixpack. |
the version upgade is beyond me, traditional client you know, we had this type of integration many times before (using this version) and i didn't find (with my humble search) )any known issue in related to this topic. |
|
Back to top |
|
 |
mgk |
Posted: Sat Feb 12, 2022 2:40 am Post subject: |
|
|
 Padawan
Joined: 31 Jul 2003 Posts: 1642
|
To see what certificates the remote server is sending back try running:
Code: |
openssl s_client -connect <yourserver.com:443> |
you might also want to try this with the
option as well
This will display all the certs sent back that you can examine.
Hope that helps,
MGK _________________ MGK
The postings I make on this site are my own and don't necessarily represent IBM's positions, strategies or opinions.
Last edited by mgk on Sat Feb 12, 2022 2:55 am; edited 1 time in total |
|
Back to top |
|
 |
abhi_thri |
Posted: Sat Feb 12, 2022 2:49 am Post subject: |
|
|
 Knight
Joined: 17 Jul 2017 Posts: 516 Location: UK
|
Adel_PFS_2019 wrote: |
i tried with a truststore of [(4)] only and here is what i found
under *** ServerHello, TLSv1.2, the chain starts with a certificate with CN=*.xyz.com same as (1), remember i didn't add (1) in the truststore
but with our magically expiry date 2021
at chain[1] we have (2) and chain[2] with (3) all with same expiration dates as above. and in the end, our lovely CertificateExpiredException error
now it looks like IIB graps the chain on the ServerHello step from the server side, with a certificate that expires at 2021
i'd believe that the domain has a problem with their certificate and it's a server side issue, but i can see Google chrome marked the domain as trusted and Postman did the same thing!
now, why chrome graps the updated Cert while IIB graps the expired one, and how to fix that?
|
hi...I initially thought it was CA certificate that was being renewed. Yes, the truststore requries the CA root certificates only and not the server leaf ones.
Agree with you analysis that the server is presenting an expired certificate for some reason. Why don't you pass on the relevant part of JSSE trace to the server side and ask them why the server is returning an expired certificate?
Also just to be sure...the url you checked via chrome/postman, is the exactly the same which iib is using? |
|
Back to top |
|
 |
Adel_PFS_2019 |
Posted: Fri Feb 18, 2022 1:24 pm Post subject: |
|
|
Newbie
Joined: 07 Aug 2019 Posts: 7
|
Hello dears,
here is the results of my tests
Code: |
openssl s_client -servername server.domain.com -connect <Public_IP>:443 | openssl x509 -noout -dates
or
openssl s_client -connect server.domain.com:443 | openssl x509 -noout -dates
Root_Cert valid
intermediate_cert valid
Leaf_Cert valid
openssl s_client -connect <Public_IP>:443 | openssl x509 -noout -dates
Root_Cert valid
intermediate_cert valid
Leaf_Cert expired CN=*.domain.com
Leaf_Cert valid CN=*.domain.com
|
than i tried with postman as the following
so, it seems that the server has two domains published on one IP, one with expired certificate which is the default.
the issue now is IIB HTTPRequest node is seems to behave like the second command (the one with IP).
i tried to override the Host header with HTTPHeader node or Compute node (with Generate default HTTP headers from input un-selected) but IIB is still retrieving the expired one.
now, How to notify IIB with the right domain and therefore the valid certificate? |
|
Back to top |
|
 |
abhi_thri |
Posted: Mon Feb 21, 2022 11:53 pm Post subject: |
|
|
 Knight
Joined: 17 Jul 2017 Posts: 516 Location: UK
|
hi...why don't you pass on the results to the server side and request them to remove the expired certificate from their side? |
|
Back to top |
|
 |
Adel_PFS_2019 |
Posted: Tue Feb 22, 2022 12:22 am Post subject: |
|
|
Newbie
Joined: 07 Aug 2019 Posts: 7
|
abhi_thri wrote: |
hi...why don't you pass on the results to the server side and request them to remove the expired certificate from their side? |
i did that, it took them quite a while, but they just did and now i can establish the connection, it was a great help from you guys here.
Adel_PFS_2019 wrote: |
now, How to notify IIB with the right domain and therefore the valid certificate? |
but out of curiosity, i'm still searching an answer for the above question.
i don't know if having two domanis on one server is common or not, but i believe if we can work it out in postman, we can make it in IIB as well. |
|
Back to top |
|
 |
abhi_thri |
Posted: Tue Feb 22, 2022 1:03 am Post subject: |
|
|
 Knight
Joined: 17 Jul 2017 Posts: 516 Location: UK
|
Adel_PFS_2019 wrote: |
but out of curiosity, i'm still searching an answer for the above question.
i don't know if having two domanis on one server is common or not, but i believe if we can work it out in postman, we can make it in IIB as well. |
hi...I suggest raising a PMR with the observations and see whether it is possible to do so with IIB at the moment, if not I guess IBM will suggest raising an enhancement request if they feel that this is a valid scenario. |
|
Back to top |
|
 |
|