Working with WSO2 API Manager v1.6.0. I have a signed universal SSL certificate from GoDaddy I want to use. I am able to import the certificate into a new keystore I created along with the intermediate certificate. When attempting to access the API manager via https I am getting an error that the root certificate can not be verified. I believe my issues may be that the certificate chain did not or is not importing correctly.
Found the solution. Was able to import the signed SSL certificate as a trusted Key-Pair into a new keystore.
Related
I'm trying to Import a certificate from Cloudflare using the AWS Web UI and I'm stuck in this page:
I read that the equivalent in Cloudflare to Certificate Chain is Origin Certificates (not 100% sure on this), so I created one and chose the RSA certificate and when I try to finish the import in AWS it says:
Could not validate the certificate with the certificate chain. Choose Previous button below and fix it.
Anyone knows what's the problem?
Thanks
EDIT:
I tried the root CA and it also doesn't work:
This is the "solution" from AWS:
"Could not validate the certificate with the certificate chain."
If ACM can't match the certificate to the certificate chain provided, verify that the certificate chain is associated to your certificate. You might need to contact your certificate provider for further assistance.
Ok I found the issue, I had created a Client CE and that’s what I was using, I read on the description that it was the one used to authenticate APIs in clients so it made sense. Anyway, resolution:
All 3 CE has to be ORIGIN and the root is from this page. So if anyone has this issue, make sure you use the CE from the Origin page + the root
I'm creating a simple website. The frontend is stored in S3, and hosted by Cloudfront. I managed to add a trusted SSL certificate to my frontend domain (www.xyz.com) using AWS Certificate Manager.
The backend is running on an EC2 instance. I added a self-signed certificate to it. I'm able to hit the APIs using Postman but the requests from frontend are failing because of the self-signed certificate.
I checked the AWS Certificate Manager again if it could provide me with a cert for my backend server, but it requires a domain. My server is running on an IP and port, and I couldn't find any service that provides a certificate for an IP. I don't want to spend extra money to get a domain for my backend.
So how do I get a trusted SSL certificate for a backend server, running on something like 10.12.12.10:9000?
couldn't find any service that provides a certificate for an IP.
This is because you need domain to obtain valid public certificate. You can't register SSL cert for an IP. But if you already have your own domain www.xyz.com, you can get a certificate for its subdomain, e.g. api.xyz.com.
However, ACM certs can't be used on instances. Thus, you need to get a valid public SSL cert from a third party. A popular choice is https://letsencrypt.org/ with certbot which provides free SSL certificates. By the way, StackOverlow is using letsencrypt for its SSL cert provider, thus its widely used and trusted ssl provider.
Using WSO2 APIM 2.6.0 seems the primary keystore certificate is used for multiple purposes
service (nio-https) SSL - that can be easily changed
signing a JWT token to the API Gateway backend service
thrift SSL endpoint for the Traffic Manager (port 9711)
The issue I have is that in a distributed setup a separate gateway should reach the TM endpoint and the hostname needs to be trusted. So - in theory I can create a self-signed certificate with a new hostname, however a new keypair/certificate will break existing backend validating the JWT token.
In theory I may just create a different self-signed certificate with the same public key, it may be more complex to manage in long run (I don't want to promote this practice).
Question: Is there a way to configure either the JWT signing certificate or the thrift SSL certificate separately? Or disable hostname validation for the throttling service (port 9711)?
(I'm not sure we want to allow disabling the hostname validation globally)
Since you have a distributed setup, this can be achieved easily.
You need to change the certificate in the gateways so that they use that keystore for the TM connection.
Keep the KM keystore as it is so that JWT is signed using the same old keystore.
The built-in certificate is causing issues for the API manager to connect to Micro Gateway services when installed on separate server.
How should custom SSL domain certificate needs to be installed. Does this require creation of new Keystore to store the new domain certificates?
I have been trying to import a self signed certificate into AWS acm but getting an exception below
Provided certificate is not a valid self signed. Please provide either a valid self-signed certificate or certificate chain. Choose Previous button below and fix it.
What could be the issue?