Unable to obtain HTTP response  -  java.security.cert.CertificateException - Caused by: Certificate [cn=server.domain.com] path validation and/or revocation checking failed
search cancel

Unable to obtain HTTP response  -  java.security.cert.CertificateException - Caused by: Certificate [cn=server.domain.com] path validation and/or revocation checking failed

book

Article ID: 416988

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

When hitting the URL https://server.domain.com:443/ in browser we are able to see the certificate chain with the leaf certificate but the certificate trusted at backend is not matching with the leaf certificate 

Log shows the Error below

msg: Unable to obtain HTTP response 
from https://server.domain.com:443/ic/api/integration/v1/flows/rest/MS_CPQ_GET_CUST_QUOTE_ORDER/1.0/quoteorder:
 java.security.cert.CertificateException: Certificate [cn=server.domain.com] 
 path validation and/or revocation checking failed.
  Caused by: Certificate [cn=server.domain.com] 
  path validation and/or revocation checking failed. Please find the below logs.

Audit Logs:

=========

NONE  f161e5883d55431896681b235ddc541c Gateway2 20250924 20:38:47.892  WARNING  Get Order Details UAT API V1 [/uat/api/v1.0/oic/orderdetails*]    Message was not processed: Undefined (-1)

20250924 20:38:47.742   INFO  -4    Request received

20250924 20:38:47.750   INFO  -4    Backend URL ---- https://server.domain.com:443/api/integration/v1/flows/rest/1.0/quoteorder

20250924 20:38:47.750   INFO        -4    Request headers--- accept:application/json, ApplicationName:SPS UAT App, authorization:Basic T0lDX0ludGVncmF0aW9uX1RDRl9VQVEDITEDkZXJOaXpUNkYtUDIxNy4uISFJ, connection:keep-alive, content-type:application/json, host:server2.domain.com, TransactionID:d59c07e4-a206-4620-85f6-1b7e5ddbb1db, transfer-encoding:chunked, user-agent:Java/17.0.16, x-apikey:l1234567ae26644a43882888785be8d87e

20250924 20:38:47.750   INFO        -4    Request From Client----{"eventInfo":{"createTd":"2025-09-24T15:08:41","msgName":"GetQuote_Request","reqApp":"WEBPAGE"},"orderInfo":{"order":{"uuId":"d47e9839-5525-475a-8118-8d3EDITED2910"}}}

 

20250924 20:38:47.890   WARNING 4042  Problem routing to https://server.domain.com:443/api/integration/v1/flows/rest/1.0/quoteorder. Error msg: Unable to obtain HTTP response from https://server.domain.com:443/api/integration/v1/flows/rest/1.0/quoteorder: java.security.cert.CertificateException: Certificate [cn=server.domain.com] path validation and/or revocation checking failed. Caused by: Certificate [cn=server.domain.com] path validation and/or revocation checking failed

20250924 20:38:47.891   INFO        3017  Policy evaluation for service Get Order Details UAT API V1 [b23228ab21f04712a39f49dc63564e93] resulted in status -1 (Undefined)

Environment

CA API Gateway 9.4, 10.x, 11.x

Cause

 Customer used the wrong custom fragment not passing auth and going through a incorrect network route returning an unexpected certificate.  

Proxy was adding another hop in between network devices involved, resulting in improper certificate validation or potential redirection at the proxy level. 

 

Resolution

Issue was not with the certificate, certs were fine as DigiCert Global Root G2 certificate is trusted in the Gateway trustStore.

However, it was identified that the API was configured to use the “RoutetoBackendExternal_Proxy”  encapsulated fragment instead of the “RoutetoBackendExternal_No Auth” fragment which is being used in production, we compared with the one used in QA env and updated that.

After updating the correct policy fragment, the data was successfully routed to the backend service.

Powered by Wolken Software