WSO2 IoTS APIMClientOAuthException: failed to retrieve oauth token using jwt - wso2

I have uploaded WSO2 IoTS 3.1.0 to my remote virtual machine with static IP address.
I have unzipped zip file then run sudo ./change-ip.sh
In first step I have entered localhost
In second step I have entered my_own_ip_address
Then my hostname is my_own_ip_address
When I launch IoT Server and open device management then I login where it shows me this page:
When I try to open any other page and even try to logout it redirects me to this page.
My logs shows this:
TID[-1234] [IoT] [2017-09-09 08:32:30,079] ERROR {auth-module} -
org.wso2.carbon.apimgt.integration.client.exception.APIMClientOAuthException: failed to retrieve oauth token using jwt
org.mozilla.javascript.Context.throwAsScriptRuntimeEx(Context.java:1754)
org.mozilla.javascript.MemberBox.invoke(MemberBox.java:148)
org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:225)
org.mozilla.javascript.optimizer.OptRuntime.callProp0(OptRuntime.java:85)
It shows that there is an error in jaggery JS.
What did I miss?

One reason for the issue could be that you are having a DNS entry against that IP in /etc/hosts file. Please make sure that your /etc/hosts file does not contain any DNS entry pointing your IP to a hostname. When WSO2 IoT Server tries to resolve DNS to call the endpoints, the first thing it looks at is your local DNS setting. If your IP is pointing to a hostname, it takes that host name as the server hostname. And when IoT server tries to verify the common name of the SSL certificate, it gets conflicting information. This leads to hostname verification fail issue. And that could result in JWT token failure as it cannot access the endpoints.
Similar issue was discussed here

Related

Certificate for <x.x.x.x> doesn't match any of the subject alternative names

I am using wso2 identity Server as a internal key manager of wso2 api manager and use Shared_db and start two server based on documentation here I got this error in api manager
ERROR {org.wso2.carbon.apimgt.rest.api.util.exception.GlobalThrowableMapper} - An unknown exception has been captured by the global exception mapper. feign.RetryableException: Certificate for <x.x.x.x> doesn't match any of the subject alternative names: [localhost] executing GET https://x.x.x.x:9443/oauth2/token/.well-known/openid-configuration.
x.x.x.x is The Identity Server ip.
The error simply indicated that the certificate you have for IS has the CN localhost and you are trying to access it with a different host(In this case IP) which causes the hostname verification to fail.
The correct solution to resolve this issue is to create proper certificates with correct CN/SAN names and use one of them to access Identity Server.
As a workaround, although it's not recommended, you can try disabling hostname verification by adding the following properties to the server startup script.(Not sure what's the exact parameter that will do the trick, but try following)
-Dorg.opensaml.httpclient.https.disableHostnameVerification=true \
-Dhttpclient.hostnameVerifier=AllowAll \
-Dfeign.httpclient.disableSslValidation=true \
We had the same issue when upgrading from IS 5.11.0 to 6.0.0.
The SSL certificates generated with Letsencrypt didn't have localhost as a Security Alternative Name (SAN). The workaround with self-signed certificates that include localhost as SAN is ok, but not what we needed.
We have bypassed it by adding the internal_hostname parameter under the [server] block inside the <IS_HOME>/repository/conf/deployment.toml config file:
[server]
hostname = "is.wso2.com"
internal_hostname = "is.wso2.com"
Make sure you replace is.wso2.com with your DNS.
More details can be found here.
https://is.docs.wso2.com/en/latest/deploy/change-the-hostname/

How to configure a Daphne server to invite clients to add the Certificate Authority that issued my certificate if they hadn't done it yet?

If I make a request to my Daphne/Django server in Postman or the Android app we're developing, Daphne serves the certificate, but it's rejected. If I first make a simple get request to https://letsencrypt.org/ and then make a request to my server, the certificate is accepted.
How can I make sure a client will trust my certificate, even if it's the first time this client is seeing a certificate issued by this CA?
Everything bellow can serve as a history of how I studied the problem.
Original title: SSL Certificate works in browser but can't be verified by Postman
I have an AWS EC2 instance running Ubuntu 18.04, with python 3, Django, a bunch of project dependencies, Daphne running with ASGI, with a certificate by Let's Encrypt. Daphne is using port 8000 for HTTP and por 4430 for HTTPS, iptables is configured to redirect requests from port 80 to 8000 and from port 443 to 4430. Django is configured to enforce secure connections with SECURE_SSL_REDIRECT=True in the settings.py file.
There's a "Site in Construction" temporary page being served, and it's properly accessible from every browser and every device I tested so far. If I explicitly type http, I get redirected to https and the certificate is accepted. Every browser I tested (Firefox, Brave, Chrome, Chrome for Android) says cert is good.
Curl outputs the HTML content returned from the server. I don't know if it accepts the certificate or ignores it.
The Problem
Postman, however, says "Error: unable to verify the first certificate". Only works when I disable "SSL certificate verification", which doesn't answer my question: why Postman is unable to verify my Let's Encrypt certificate?
I'm building an API that runs on the same server, using the same domain, and it's meant to be consumed by a mobile app. Currently, the Android app is throwing a "TypeError: Network request failed", which I suspect could be caused by the same thing Postman is complaining about.
When I spin the server locally and configure 1) the app to use http://localhost:8000 and 2) the server not to enforce SSL, it works in browsers, Postman and in the Android app.
I've being looking for answers in many places for days, so any clue will be very welcome.
EDIT
Interesting clue:
If I make a request to my Daphne/Django server, it servers the certificate, which is rejected. But if I first make a request to https://letsencrypt.org/ and then make a request to my server, it works!
This pattern holds true in both Postman and our Android app.
It also happens when I first make a request to https://alloy.city (instead of letsencrypt.org), which is served by a Node.js app, and uses a certificate also issued by the Let's Encrypt CA.
So maybe the question should be: how to configure my server to politely invite clients to add the CA that issued my certificate if they hadn't done it yet?.
Apparently, that's what my Node.js server does.
Yes, in settings, tap ssl verification off
File > Settings > General > SSL Certificate Verification > off

Facebook : HTTPS is required for all Redirect URIs

I am trying to use facebook sdk for facebook login.
I gave http://localhost as Valid OAuth Redirect URIs but it throws the following error
HTTPS is required for all Redirect URIs.
I used this future few days ago it worked fine. but now it throws this error
And I am not able to disable
Enforce HTTPS
option
I ran into this issue with my Rails app that I usually run with http://localhost:3000.
To use https, I used ngrok which allows you to use https by providing a tunnel. To do this:
I went to their website and downloaded their program
I extracted the file for the program
In my console, I went into the directory where ngrok was extracted to and entered 'grok http 3000' on my Windows machine, others may use './grok http 3000'
After entering that, ngrok provided a https address which I put into the Valid OAuth Redirect URIs field in Facebook
Then I started my server and was able to access it using that https address instead of localhost:3000
yep, they changed that recently :-(
For testing the login flow locally I installed a self-signed certificate
https://letsencrypt.org/docs/certificates-for-localhost/
btw, I doesn't have to be trusted by the browser if you're OK with a one time security warning.
Don't use this certificate in production!

WSO2API Manager : Api Store Error: Error in getting new access token

I have updated WSO2 default SLL with the custom SSL certificate on my Production Server on which WSO2Api installed.
SSL issues have been fixed, but now I am getting error while re-generating access token
Logs
Caused by: org.wso2.carbon.apimgt.keymgt.APIKeyMgtException: Error in getting new accessToken
at org.wso2.carbon.apimgt.keymgt.service.APIKeyMgtSubscriberService.renewAccessToken(APIKeyMgtSubscriberService.java:281)
... 45 more
Caused by: java.lang.RuntimeException: Failed : HTTP error code : 500
at org.wso2.carbon.apimgt.keymgt.service.APIKeyMgtSubscriberService.renewAccessToken(APIKeyMgtSubscriberService.java:252)
... 45 more
TID: [0] [AM] [2014-08-27 10:57:41,440] ERROR {org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject} - Error in getting new accessToken {org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject}
If APIManager runs with a port offset,you need to do addtional changes.
Change the endpoint ports defined in default APIs shipped with APIManager
Find all default APIs of the API Manager in /repository/deployment/server/synapse-configs/default/api folder. Those are Authorize API, Login API, Token API and Revoke API. Open each of them and change the address endpoint config included port value to match with offset value.The default address endpoint config is
"address uri="https://192.168.1.7:9443/oauth2/token".If the AM standalone pack running with port offset 2 change that config as
address uri="https://192.168.1.7:9445/oauth2/token"
What I did to fix the issue was to 1) add admin user inside ApiKeyValidaor in api-manager.xml also into admin user via management console and into user-mgt.xml; 2) Inside api-manager.xml:
Change the following:
https://${carbon.local.ip}:${mgt.transport.https.port}${carbon.context}/services/
to:
https://[FQDN_OF_HOST}:${mgt.transport.https.port}${carbon.context}/services/
Reason is my server certificate only recorded the domain name, not ip address.
My setup: Product: WSO2 AM 1.10.0 DB: MSSQL Security: SAML2 integrated with PingIdentity OS: Linux
Please also refer to this question:
wso2 am 1.10.0 API Store: "Error occurred while executing the action generateApplicationKey" with " Invalid credentials provided."
The error may be due to one of these two things:
Your admin password is not set for ApiKeyManager in api_manager.xml.
SSL is not set properly.

SSL Exception when WebService endpoint url has https

I am getting the below exception when I invoke a jax ws webservice from my application deployed in WebSphere Application Server 6.1
SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=yyy.com, OU=For Intranet Use Only, OU=Web Hosting, O=xx, L=xx, ST=xx, C=xx" was sent from target host:port "*:9445". The signer may need to be added to local trust store "F://../trust.p12" . The extended error message from the SSL handshake exception is: "No trusted certificate found".
The enpoint url has https.
With the same enpoint url I am able to get a response from SOAP UI(Tool) without any certificate configuration etc..
Could you help me on this ?
I finally was able to fix this small issue.The Server certificate needs to be added to the websphere appserver truststore.This can be done from the admin console of websphere by providing the server domain and port.