The CA API Gateway ("Gateway") can present a multitude of unique certificate-related errors in the audits or logs. The common ones are compiled in this article for convenience, with common root causes and resolutions.
Release:
Component: APIGTW ( all versions )
Error presents itself as follows:
This indicates that the Gateway was unable to establish trust with a remote system. This could be because the Gateway does not trust the issued certificate implicitly or it does not trust the issuer of a certificate. To resolve this issue:
Error presents itself as follows:
This indicates that the API Gateway's certificate was rejected by the remote system. This could be because the remote system does not trust the certificate presented by the API Gateway or the issuer of the API Gateway's certificate. To resolve this issue:
Error presents itself as follows:
This indicates that the API Gateway was unable to match the CN value of the certificate presented by the remote system to the host name of the remote system being contacted. If the CN value of the certificate being presented does not match the hostname of the system being contacted, this error will occur. To resolve this:
This issue can also occur because a certificate issued by an authority is a wildcard certificate. This means that this valid for multiple individual hosts and is not specific to a single host. By default, the API Gateway takes the least trustful behaviour. Trusting a wildcard value for the hostname is not a default behaviour and must be enabled by an administrator To resolve this:
Documentation: Managing cluster-wide properties in the CA API Gateway
Error presents itself as follows:
This indicates that the Gateway rejected the certificate presented by the remote system because it was explicitly not trusted. This is due to a failure in the certificate validation process-either in validating the trust chain of the issuer or because a certificate or authority is explicitly revoked. Typically, this is caused by the Gateway not being able to fully follow the trust chain of a certificate presented by the remote system that is not self-signed. To resolve this issue:
More information on importing certificates as trusted issuers can be found here: Sign a certificate
Error presents itself as follows:
This indicates that the API Gateway sees a CA certificate in the trust chain of a certificate returned by an endpoint but that the CA certificate is not explicitly or implicitly trusted to issue client certificates. To resolve this issue:
For more information on adding certificates to the API Gateway's certificate trust store, please review Chapter 3 of the Layer 7 Policy Manager User Manual -- Managing Certificates: Adding a New Certificate.
Error presents itself as follows:
This indicates that the API Gateway is rejecting a certificate presented by the remote system because it or a portion of its trust chain is not trusted specifically for SSL communication. To resolve this issue:
Additionally, this error could occur due to an inconsistency between a certificate stored in the Manage Certificates trust store and the certificate provided by server. If the distinguished name of a certificate stored in the trust store matches the distinguished name of a certificate used by the server but the certificate itself does not match then this error will occur. To resolve this problem:
Specifically, the values for the modulus and thumbprint of each certificate will likely show differences. If these values are different then the certificates are different. This is the core of the issue: The certificates are different but the distinguished names are the same. This results in a certificate being found (as indicated by the log entry) but not matching the existing certificate.
Additionally, the error can be seen if the remote system certificates are not in the trusted certificates list of the routing assertion. To check the trusted certificates list on the Route Via HTTP(S) assertion, edit the Route Via HTTP(S) Assertion > Connection tab > Trusted Server Certificates. It must have the "Trust all Trusted Certificates" selected or otherwise will need to add the remote server certificates in the "Trust only the specified Trusted Certificates" list.
For more information on adding certificates to the API Gateway's certificate trust store, please review Chapter 3 of the Layer 7 Policy Manager User Manual--Managing Certificates: Adding a New Certificate.
Error presents itself as follows:
This indicates that the API Gateway is trying to make an outbound SSL connection to a remote system and the API Gateway was unable to find an agreed upon an SSL/TLS version to use for the connection. Most typically, this occurs when the API Gateway is trying to connect to a remote system that is requiring SSLv3. SSLv3 support has been disabled on the API Gateway and special steps must be taken to utilize SSLv3. You can re-enable SSLv3 in the Route via HTTP(S) assertion under the "Security Tab." If you require instructions for enabling SSLv3 globally, please contact Support for more information.
Error presents itself as follows:
This error occurs when negotiating client mutual authentication via SSL and the remote system does not trust the CA or issuer of the certificate the API Gateway is presenting. When mutual authentication is being initialized, each side requests the trusted CA allowed for the transaction. If the issuer of the certificate presented by the API Gateway is not trusted by the remote system, the connection will fail. To resolve this issue:
For more information on adding or updating API Gateway cluster-wide properties, please review Chapter 2 of the Layer 7 Policy Manager User Manual -- Managing Cluster-Wide Properties.
Error presents itself as follows:
This error occurs when using SSL/TLS and requiring a client certificate, but none is presented. This is due to the client not receiving a list of acceptable CAs from the API Gateway on it's ACK during the SSL Handshake. This is expected behaviour for TLS 1.0 per standards. To resolve this issue:
For more information on configuring the TLS settings of an active Listen Port, please review Chapter 2 of the Layer 7 Policy Manager User Manual--Managing Listen Ports.
For more information on adding or updating API Gateway cluster-wide properties, please review Chapter 2 of the Layer 7 Policy Manager User Manual--Managing Cluster-Wide Properties.
Error presents itself as follows:
Unable to obtain HTTP response from https://<hostname>.<yourdomain>.com/path/to/remote/service?wsdl: Received fatal alert: Certificate Unknown
This error occurs when using SSL/TLS to communicate with a protected service and the protected service is requiring a client certificate from the API Gateway. This error will be presented when the protected service completely rejects the certificate provided by the API Gateway. In this case, the certificate provided by the API Gateway to the protected service is not trusted or the issuer of the API Gateway's certificate is untrusted. To resolve this error:
Error presents itself as follows:
Request routing failed with status 601 (Error in Assertion Processing)
This error can occur when the backend certificate has a wild card in the CN. By default the gateway does not trust them, this behavior can be overwritten by setting io.httpsHostAllowWildcard cluster-wide property to the boolean value of true.
It can also occur when the backend hostname is completely different with the backend server certificate CN, or it try to use intermediate or root CA as trusted anchor.
If it try to use intemediate or root CA certificate as trusted anchor for certificate verification, set io.httpsHostVerify as false.
Sample error message:
Problem routing to https://backendurl: SSL verification failed!
Sample curl command and error message:
Sample hostname and CN:
Solution: Re-generate correct server certificate
Workaround: set io.httpsHostVerify as false