In Wso2 ESB when I try to connect with Https endpoint. I get
`TargetHandler I/O error: General SSLEngine problem`
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
How to solve this and how to get the certificate for the endpoint
I added the certificate and it's working
1) First, in the browser go to the HTTPS link you want to add a certificate, then in the browser address bar click on the view site information tab(i,e on the HTTPS ). Then go to description and then export it.
2) WSO2 will get the certification information from the client-truststore.jks. So, import the certificate to client-truststore.jks by the command.
keytool -importcert -file path\FileName.cer -keystore client-truststore.jks -alias "the endpoint or the domain address(like Https://..)"
After this configuration PKIX path building failed exceptions will be resolved.
3) Then in ESB_HOME\repository\conf\axis2\axis2.xml configure the parameter mentioned below.
<parameter name="HostnameVerifier">AllowAll</parameter>
After this javax.net.ssl.SSLHandshakeException: General SSLEngine problem will be resolved.
Related
I am using AWS load balancer to listen to dev.example.com and api.dev.example.com. I have added amazon managed certificates in the listener for both the subdomains. I can connect to dev.example.com successfully, but for api.dev.example.com I am getting an SSL error. I am using AWS default security policy(ELBSecurityPolicy-2016-08). I did sslscan for api.dev subdomain and got the following error
TLS Fallback SCSV:
Connection failed - unable to determine TLS Fallback SCSV support
TLS renegotiation:
Session renegotiation not supported
TLS Compression:
OpenSSL version does not support compression
Rebuild with zlib1g-dev package for zlib support
Heartbleed:
Supported Server Cipher(s):
Unable to parse certificate
Unable to parse certificate
Unable to parse certificate
Unable to parse certificate
Certificate information cannot be retrieved.
Why is sslscan failing for api.dev subdomain while it is successful for dev subdomain? How can I resolve this?
Second level subdomains have to be listed in the SSL certificate. If you have a *.example.com wildcard certificate the wildcard is only valid for one level. You would also need to add wildcards for other levels, like: *.dev.example.com.
This is not a limitation of AWS, it is a limitation of SSL certificates.
In wso2is 5.11.0 user trying to self register cause a "javax.net.ssl.SSLException: hostname in certificate didn't match: != ........." exception. The same configuration with same keystore and trust-store works fine if backported to 5.10.0.
Thanks
Francesco
In WSO2 IS-5.11, the server hostname for internal API calls is by default configured as localhost. This configuration is utilized to build the internal absolute URL of a service endpoint, which will be consumed at places that will generate internal API calls.
If you are configuring the hostname for evaluations (when there is no load balancer or proxy) you can follow this.
Add 'localhost' as SAN for the certificate (-ext SAN=dns:localhost)
Here is a sample keystore generation:
keytool -genkey -alias newcert -keyalg RSA -keysize 2048 -keystore newkeystore.jks -dname "CN=wso2is.local, OU=Is,O=Wso2,L=SL,S=WS,C=LK" -storepass mypassword -keypass mypassword -ext SAN=dns:localhost
Also, if you are using single-node deployment(there is no load balancer or proxy) instead of adding SAN, defining internal_hostname value as the same as hostname value will resolve this issue
[server]
hostname = "is.dev.wso2.com"
internal_hostname = "is.dev.wso2.com"
I have configured SSl certificate on AWS EC2 server by following Step-by-Step procedure to generate a CSR and install an SSL Certificate on a Tomcat web server. And I purchased this SSl certificate from Comodo. But after all installations setup, am not redirecting to my server when I add HTTPS to it.
Please help me out on this issue...
Thank you
If you want to force a redirect from http to https you need this
<Connector port="xx" protocol="HTTP/1.1"
redirectPort="443"/>
I have configured HTTP end point using Amazon API gateway.
Further I have added custom domain along with SSL certificate.
However on invoking api , I am getting Execution failed due to configuration error: General SSLEngine problem.
Now what is confusing that same SSL certificate works well for other Amazon API configured apis.
The API back end is Play Web Service and is being served through Nginx.
From Cloud watch logs , I do not find much relevant information.
It is possible that the issuer of your server certificate is not trusted by API Gateway.
Just For info.
Following analysis could be one of the reason for above issue.
The mentioned problem was being faced on following configuration.
Operating System :- UBUNTU 16.04 X64
NGINX :- 1.10.X
The issue was resolved on downgrading to following configuration.
Operating system to UBUNTU 14.04 x64
NGINX to 1.4.6.
Though I am not sure , it appears to me that the problem with Nginx 1.10.x.
Execution failed due to configuration error: General SSLEngine problem is a common error in the API Gateway private integration (VPC Link) and HTTP Integration.
General SSLEngine problem can be observed in following scenarios, when Integration returns :
A certificate signed by issuers API gateway do not trust
An expired certificate
A self-signed certificate
Certificate signing chain/chain of trust is missing the root certificate or one or more intermediate certificates
Any other unrecognizable certificate-related exceptions
Read More here - https://cloudnamaste.com/general-sslengine-problem/
I faced the same issue and then I contacted my SSL Support/Company and they added the intermediate certificate into the actual SSL certificate file using JavaKeyStore - which solved the issued
in wso2 esb i want to add a https proxy service and but when in define proxy service in specity source url use https://... in test url get error :
Invalid WSDL URI (Unable to establish a connection)
and in next step in definr endpoint use of an endpoint https:// ... this error apear :
Unable to validate SSL Certificate of https://....
i try to certificate a crt file and in my https proxy service in wso2\repository\resources\security\client-truststore.jks with keytool
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
and enable https transport sender and recsiever in axis2.xml but my problem do not solve.
I guess, you are trying to connect to a HTTPS endpoint using proxy service. Here you want to import the endpoint server's certificate chain in the the "client-truststore.jks" flie and restart the server. However; by default HTTPS transport sender and receiver are enabled. You may not need to enable them.
But few things to remember..
In transport sender, if you do NOT want to verify the host name of the end point server with its certificate, Please configure "HostnameVerifier" property to "AllowAll". If not, if your end point server's IP and certificate CN are not matched, It would create some errors.
If end point server's certificate is a self signed on, you can just import the server's certificate. If it is a CA singed on, You need to import all the CA certificate chain.
(However most common CA certificates can be found in the "client-truststore.jks" file)
If you want to change the trust store or key store files, you can do it using transport sender configurations. By default trust store file is "client-truststore.jks" Also, if you did any changes to axis2.xml file or key stores, Please restart the server.
Also If you want to expose your proxy service using SSL, you need to enable the "https" in the proxy service. And then your client needs to user ESB server's certificate to call the proxy service.