Unlike browsers the API Gateway does not implicitly trust anyone's certificate (not even itself). In order to route to an HTTPS endpoint, some level of trust in the certificate presented by the server must be configured in the Gateway. The simplest way to do this is to use the Manage Certificates interface to load the endpoint certificate directly and check the "Outbound SSL Connections" box in the Options tab for the certificate. This is how explicit trust is declared for a certificate in the Gateway, and I am assuming this is what was done for it to work in the first place. Unfortunately this will not "survive" when the server certificate changes at the server (either it expires and is replaced or they have some kind of rotating certificate configuration) and will result in the type of errors you are seeing, so a better option is to declare implicit trust in a certificate by loading a certificate from higher up its chain.
There are two approaches to this:
1. Load an issuer certificate from higher up the chain and declare it as a trust anchor. One could go all the way up to the root authority and trust anything anywhere in their chain. For example, the chain for graph.microsoft.com is:
- depth=0 C = US, ST = WA, L = Redmond, O = Microsoft Corporation, CN = graph.microsoft.com
- depth=1 C = US, O = Microsoft Corporation, CN = Microsoft Azure TLS Issuing CA 02
- depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
In this example the "CN = graph.microsoft.com" certificate is the actual server certificate, which was signed by the "CN = Microsoft Azure TLS Issuing CA 02" cert, which in turn was signed by the "CN = DigiCert Global Root G2" cert, which is a self signed root authority. If you load up your browser and look at the list of authorities, you will find the "CN = DigiCert Global Root G2" cert already installed. When you access graph.microsoft.com it will present the first two certs as its chain, and since you have the root authority already in there and trusted, the chain is valid and it works.
2. There is an unpublished cluster-wide property that will enable *all* of the authorities that are part of the Java trust store that are stored in $JAVA_HOME/jre/lib/security/cacerts. It is unpublished for a reason - we don't encourage its use in lieu of encouraging tighter control on your trust chains.
So if a server is rotating certificates you should find the lowest common denominator certificate in the chain, load that into your trusted certs, check the "Signing Certificates for Outbound SSL Connection" usage option and mark it as a trust anchor.
Please let me know if this helps solve what you are seeing.
------------------------------
Jay MacDonald - Adoption Architect - Broadcom API Management (Layer 7)
------------------------------
Original Message:
Sent: 09-20-2021 02:22 AM
From: suraj tomar
Subject: Sharepoint online SSL certificate errors
Hi All,
We are also facing similar issue, google cloud endpoints keeps on returning different certs with same DN or CN value in our case *.appspot.com.
and whenever they rotate the cert or the request reaches to the different server [ due to horizontal scaling ].
Is there a way to trust the cert based or root cert of signing authority.
Respected community members please suggest some solution as it is impacting our production.
Original Message:
Sent: 09-15-2021 01:00 AM
From: Laurent LANDREAU
Subject: Sharepoint online SSL certificate errors
Hello
I periodically get the following errors when CA API v9.4.CR5 tries to access SharePoint online APIs.
https://graph.microsoft.com/v1.0/sites/queenslandurbanutilities.sharepoint.com,f51c34c9-XXXX-XXXX-9d7f-a8a88c0beXXX,7943390d-53c0-4a15-a5da-4fcae3ef9716/drives/b!yTQc9TqcKEedf6iojAvkGQ05Q3nAUxVKpdpPyuPvlxbau58PLWkGTY5eKWhdnXnQ/root/children. Error msg: Unable to obtain HTTP response from https://graph.microsoft.com/v1.0/sites/queenslandurbanutilities.sharepoint.com,f51c34c9-9c3a-XXXX-XXXX-a8a88c0be419,7943390d-XXXX-4a15-a5da-4fcae3efXXX/drives/b!yTQc9TqcKEedf6iojXXXXXQ3nAUxVKpdpPyuPvlxbau58PLWkGTY5eXXXXXnQ/root/children: java.security.cert.CertificateException: Certificate [cn=graph.microsoft.com,o=microsoft corporation,l=redmond,st=wa,c=us] path validation and/or revocation checking failed. Caused by: Certificate [cn=graph.microsoft.com,o=microsoft corporation,l=redmond,st=wa,c=us] path validation and/or revocation checking failed
I have now imported ...
4
graph.microsoft.com certificates
6
stamp2.login.microsoftonline.com certificates
and these errors periodically keep coming.
Questions
1) Has anyone had the same kind of errors with Sharepoint Online?
2) What am I missing?
3) What is the right solution to resolve the issue?
Thanks for any input/idea,
Laurent LANDREAU
Integration architect, Brisbane, Australia