Notifications

1388 views

Description

Running an outbound REST API call integration that requires the use of a custom SSL certificate fails with the error:

Response: [ERROR CODE: -1 ] No issuer certificate found for <endpoint hostname>

Steps to Reproduce: 

1. Run an outbound REST integration that calls a custom SSL certificate 
2. Look at the Outbound HTTP Requests, note the error

Release or Environment

This may be seen after an upgrade to New York or later.

Cause

The issue is caused by tighter certificate standards.

ssh to one of the instance nodes and execute openssl as below.  When checking the host using openssl we an see there are some errors associated with the certificate chain like "unable to get local issuer certificate" and "certificate not trusted" and "unable to verify the first certificate": 

$ openssl s_client -connect <endpoint hostname or IP address>:<port> -showcerts 
CONNECTED(00000003) 
depth=0 OU = Domain Control Validated, CN = *.xxxx
verify error:num=20:unable to get local issuer certificate 
verify return:1 
depth=0 OU = Domain Control Validated, CN = *.xxxx
verify error:num=27:certificate not trusted 
verify return:1 
depth=0 OU = Domain Control Validated, CN = *.xxxx
verify error:num=21:unable to verify the first certificate 
verify return:1 
--- 
Certificate chain 
0 s:/OU=Domain Control Validated/CN=*.xxxx
i:/C=US/ST=xxxx Secure Certificate Authority - G2 
-----BEGIN CERTIFICATE----- 
MIIGMzCCBRugAwIBAgIJANB1AI9Fqe8DMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD 
....

S7SKDwRbcQ== 
-----END CERTIFICATE----- 
--- 
Server certificate 
subject=/OU=Domain Control Validated/CN=*.xxxx
issuer=/C=US/STxxxx Secure Certificate Authority - G2 
--- 
No client certificate CA names sent 
Server Temp Key: ECDH, prime256v1, 256 bits 
--- 
SSL handshake has read 2266 bytes and written 373 bytes 
--- 
New, TLSv1/SSLv3, Cipher is xxxx
Server public key is 2048 bit 
Secure Renegotiation IS supported 
Compression: NONE 
Expansion: NONE 
SSL-Session: 
Protocol : TLSv1.2 
Cipher : xxxx
Session-ID: xxxx
Session-ID-ctx: 
Master-Key:xxxx
Key-Arg : None 
Krb5 Principal: None 
PSK identity: None 
PSK identity hint: None 
TLS session ticket lifetime hint: 300 (seconds) 
TLS session ticket: 
xxxx

Start Time: 1566849477 
Timeout : 300 (sec) 
Verify return code: 21 (unable to verify the first certificate) 


Since the certificate chain is not completely clean you are seeing this error when the web service call is made: 

"No issuer certificate found for <endpoint hostname>"  

Resolution

There are two options to resolve this: 

(1) Clean up the endpoint so that there are no more certificate errors seen when executing the: openssl s_client -connect <endpoint hostname or IP address>:<port> -showcerts
(2) To ignore these certificate errors (i.e. remove the tighter certificate standards) add this system property to the instance: 

Name = com.glide.communications.httpclient.verify_revoked_certificate 
Type = true|false 
Value = false 

Article Information

Last Updated:2020-02-26 08:30:41
Published:2020-02-26