We've Moved! Please visit our new and improved forum over at our new portal: https://portal.plumvoice.com/hc/en-us/community/topics

Certificate issue when using Rest module over HTTPS

Questions and answers about Plum Fuse+

Moderators: admin, support

Post Reply
mushfek0001
Posts: 20
Joined: Wed Mar 14, 2018 1:31 am

Certificate issue when using Rest module over HTTPS

Post by mushfek0001 »

Hi,

I'm trying to use the Rest module to do an API call to my server (running Weblogic 12c) over HTTPS but I'm getting the following exception.
ExecuteThread: '2' for queue: 'weblogic.socket.Muxer', READ: TLSv1.2 Alert, length = 2
ExecuteThread: '2' for queue: 'weblogic.socket.Muxer', RECV TLSv1.2 ALERT: fatal, unknown_ca
ExecuteThread: '2' for queue: 'weblogic.socket.Muxer', fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: unknown_ca
ExecuteThread: '2' for queue: 'weblogic.socket.Muxer', fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: unknown_ca
<Mar 14, 2018, 2:08:27,839 AM EDT> <Debug> <SecuritySSL> <BEA-000000> <[Thread[ExecuteThread: '2' for queue: 'weblogic.socket.Muxer',5,Thread Group for Queue: 'weblogic.socket.Muxer']]weblogic.security.SSL.jsseadapter: SSLENGINE: Exception occurred during SSLEngine.unwrap(ByteBuffer,ByteBuffer[]).
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:664)
at weblogic.security.SSL.jsseadapter.JaSSLEngine$5.run(JaSSLEngine.java:135)
at weblogic.security.SSL.jsseadapter.JaSSLEngine.doAction(JaSSLEngine.java:743)
at weblogic.security.SSL.jsseadapter.JaSSLEngine.unwrap(JaSSLEngine.java:133)
at weblogic.socket.JSSEFilterImpl.unwrap(JSSEFilterImpl.java:644)
at weblogic.socket.JSSEFilterImpl.unwrapAndHandleResults(JSSEFilterImpl.java:541)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:99)
at weblogic.socket.JSSEFilterImpl.isMessageComplete(JSSEFilterImpl.java:342)
at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:975)
at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:916)
at weblogic.socket.NIOSocketMuxer.process(NIOSocketMuxer.java:596)
at weblogic.socket.NIOSocketMuxer.processSockets(NIOSocketMuxer.java:560)
at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:30)
at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:43)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:147)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:119)
>
ExecuteThread: '2' for queue: 'weblogic.socket.Muxer', called closeOutbound()
ExecuteThread: '2' for queue: 'weblogic.socket.Muxer', closeOutboundInternal()
I think it's because of the certificate your system uses isn't recognized by my server. I've adding the certificate from fuse.plumvoice.com but no luck so I digged a bit more and found that the request isn't done from this domain rather *.plumgroup.com. I might be missing something but there are what I've found so far.

How do I obtain the certificate that *.plumgroup.com uses or any other help regarding the fact will be really appreciated.

P.S. It works absolutely fine over HTTP.

support
Posts: 3632
Joined: Mon Jun 02, 2003 3:47 pm
Location: Boston, MA
Contact:

Re: Certificate issue when using Rest module over HTTPS

Post by support »

Plum Fuse only uses the certificate that you provide. For more details, please take a look at our docs (scroll to the bottom):

https://www.plumvoice.com/docs/fuse/my-account

mushfek0001
Posts: 20
Joined: Wed Mar 14, 2018 1:31 am

Re: Certificate issue when using Rest module over HTTPS

Post by mushfek0001 »

So, for one-way SSL setup the client side certificate isn't required? I mean I should be able to make requests to my server without adding a certificate to my account. Am I right?

support
Posts: 3632
Joined: Mon Jun 02, 2003 3:47 pm
Location: Boston, MA
Contact:

Re: Certificate issue when using Rest module over HTTPS

Post by support »

We took a peek into your account, you do not have any client side certificates uploaded in your account. You must upload the client side certificate for your webservice. For more details, please take a look at our docs (scroll to the bottom):

https://www.plumvoice.com/docs/fuse/my-account

Based on your initial error log, specifically the "unknown_ca" alert, it seems your server does require a certificate that is signed by a trusted CA.

mushfek0001
Posts: 20
Joined: Wed Mar 14, 2018 1:31 am

Re: Certificate issue when using Rest module over HTTPS

Post by mushfek0001 »

The server I'm using actually have a cert signed by COMODO (quite trusted I'd say). This is the server I'm using. https://bd.therapbd.net:8002. Would you please take a look at the cert and verify if there's any compatibility issue?

support
Posts: 3632
Joined: Mon Jun 02, 2003 3:47 pm
Location: Boston, MA
Contact:

Re: Certificate issue when using Rest module over HTTPS

Post by support »

You have not uploaded your client-side certificate. You should do so under "My Account." For screenshots showing you how please take a look at our docs (scroll to the bottom):

https://www.plumvoice.com/docs/fuse/my-account

Plum Fuse allows users to configure client-side certificates that servers use to verify the identity of the client making the server request. Client-side certificates are ideal for users that want to ensure that only authorized clients are making requests to their servers. Plum Fuse supports client-side certificates by allowing customer to provide Fuse with a domain name (e.g. www.plumvoice.com) and a client-side certificate (PEM format only). When a SOAP or REST module makes a request to a domain configured with a client-side certificate, Fuse uses that certificate when making the request.

mushfek0001
Posts: 20
Joined: Wed Mar 14, 2018 1:31 am

Re: Certificate issue when using Rest module over HTTPS

Post by mushfek0001 »

I think there's been a confusion. I went through your docs and I don't think I'll need a client cert here as my server doesn't use two-way SSL. For one-way SSL, server doesn't need to authenticate client. So I should be able to make REST calls to my server. I was actually talking about my server certificate. Anyway, I'd be great if you can answer the following ques:
1. Does your service work with one-way SSL? (without uploading any client cert)
2. Does your service have any issues with certificates signed by COMODO?

Lastly, https://bd.therapbd.net:8002/api/v2/ivr ... rCode=4321 is the exactly the URL I'm fetching data from. Could you please check if there's any issue connecting to it from your side?

Edit: In case you guys want to take a more detailed look in the setup I'm trying out here's some additional info. I'm actually using my boss' account for testing purpose. That account is associated to the mail sazzad.rafique[at]therapservices.net. You'll find an application named Therap Integration Test which I'm actually testing out. Hope these helps.

support
Posts: 3632
Joined: Mon Jun 02, 2003 3:47 pm
Location: Boston, MA
Contact:

Re: Certificate issue when using Rest module over HTTPS

Post by support »

To clarify, for one-way SSL, you are responsible for providing a certificate as you are the server. This certificate does not come from Fuse and should not make any references to *.plumvoice.com or *.plumgroup.com.

Fuse is the client, and for one-way SSL, does not provide any certificate. We verify the certificate that you send us. Right now, that verification is failing because "Peer's Certificate issuer is not recognized."

We use curl to connect to your REST APIs, so you can try this command yourself:

Code: Select all

curl https://bd.therapbd.net:8002/api/v2/ivr/plum/auth?userCode=4321
We are a little confused because in your initial post, it looks like your server is expecting a certificate from Fuse, which would make this two-way SSL. In that case, you are still responsible for providing a certificate on your server, AND you must upload a client-side certificate into your Fuse account.

mushfek0001
Posts: 20
Joined: Wed Mar 14, 2018 1:31 am

Re: Certificate issue when using Rest module over HTTPS

Post by mushfek0001 »

We are a little confused because in your initial post
Sorry for the confusion. It actually took me a while to get down to this too since there are too many parameters involved and I had to check for almost everywhere to find out what is actually going wrong.
Fuse is the client, and for one-way SSL, does not provide any certificate. We verify the certificate that you send us. Right now, that verification is failing because "Peer's Certificate issuer is not recognized."
Thanks. This helps a lot. Looks like the certificate issuer isn't in your cURL's trusted CA list. Is there any way I can upload the public key and CA bundle of my certificate or any other way for you to add it in your truststore?

support
Posts: 3632
Joined: Mon Jun 02, 2003 3:47 pm
Location: Boston, MA
Contact:

Re: Certificate issue when using Rest module over HTTPS

Post by support »

The intermediate CA cert for your web server is not part of the official CA cert bundle distributed by the Mozilla organization. Once it has been added to the Mozilla CA cert bundle, your HTTPS REST webservice should work with Fuse+.

We'll periodically check on the situation and will let you know when the intermediate cert appears in the Mozilla bundle or a reason why it was specifically excluded.

support
Posts: 3632
Joined: Mon Jun 02, 2003 3:47 pm
Location: Boston, MA
Contact:

Re: Certificate issue when using Rest module over HTTPS

Post by support »

We were checking this on a weekly basis, but it seems your webservice is unreachable now regardless of the certificate. Please let us know if you are run into further issues.

Post Reply