To remove the dependency on Intermediate certificates we updated the root CA as trusted anchor and configured the cluster-wide property io.httpsHostAllowWildcard to true also updated io.httpsHostVerify to false.
The above solutions haven't succeeded when the server certificate is issued by different Intermediate certificate in PROD.
This caused prod issues and we must reload all intermediate certificates to resolve prod issue.
Error in ssg log,
"Unable to obtain HTTP response from https://xxx.xxx.xxx: Server cert cn=yyy found but not trusted for SSL."
Release : 10.0
Root CA is not working usually due to the CA changed/replaced the Root CA. Although the common name of the certificate is still the same.
The error message also indicates the server cert, or part of the cert chain is not trunsted for SSL.
To verify if the Root CA had been changed, compare the SHA1 fingerprint of the Root CA stored in the gateway and the one from the backend server.
To show the SHA1 fingerprint of the Root CA stored in the gateway, login policy manager, navigate to "Manage Certificates", open the properties window of the Root CA, click the Details tab.
To show the SHA1 fingerprint of the Root CA from the server side,
1. Find the URL of the signing certificate.
openssl x509 -in (cert) -text
Here is an example for google intermediate certificate "GTS CA 1C3.crt",
openssl x509 -in "GTS CA 1C3.crt" -text
it shows,
Authority Information Access:
OCSP - URI:http://ocsp.pki.goog/gtsr1
CA Issuers - URI:http://pki.goog/repo/certs/gtsr1.der
so, http://pki.goog/repo/certs/gtsr1.der is the download link of the issuer cert.
2. Download the signing certificate to a file (DER format in above example).
curl (url) > (signer.der)
continue above example,
curl http://pki.goog/repo/certs/gtsr1.der> gtsr1.der
3. Convert signing certificate to PEM (X.509) format.
openssl x509 -inform der -in (signer.der) -out (signer.pem)
continue above example,
openssl x509 -inform der -in gtsr1.der -out gtsr1.pem
4. Repeat step 1 to 3 to get the Root CA
5. Show sha-1 fingerprint of the issuer
openssl x509 -noout -fingerprint -sha1 -inform pem -in (signer.pem)
continue above example,
openssl x509 -noout -fingerprint -sha1 -inform pem -in gtsr1.pem
Download and import the new root CA