Layer7 API Management

  • Private Community
 View Only

  • 1.  Facing SSL related issue

    Posted Oct 16, 2019 06:14 AM
    Hi Team,

    We are facing the issue as below: 

    Http request failed with status code 'TrustFailure' and status message: 'The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.'.

    Although its an intermittent issue , I am not able to see any error logs at GW. But as per the LB logs as below, its showing that GW is not responding. SO could someone suggest accordingly.

    Oct 16 02:05:21 HKD_INET_F5LB01A err tmm1[18276]: 01010028:3: No members available for pool /Common/POOL_api-gateway.com_8443


    Is this issue happens because of some unsign cert at client side?

    Thanks
    Praty



  • 2.  RE: Facing SSL related issue

    Broadcom Employee
    Posted Nov 04, 2019 09:25 AM
    Praty,
    I think we would require more details. If its not in the gateway logs (and I assume though I dont have a screenshot of the fault) that its a Non Gateway error (usually soap format). And Assuming this is on the inbound connection then it would sound like either.
    a) Trust or certificate or 
    B) Gateway latency or configuration on inbound pool. 

    On the occasional failure is it at peak times (more load or long running connections?) 
    Have you audited the concurrency on the gateway or adjusted the Cluster property io.coreconcurrency/maxcoreconcurrency?
    Do you have more details?
    Thanks..
    Original Message


  • 3.  RE: Facing SSL related issue

    Posted Nov 04, 2019 10:50 PM
    Hello Charles,

    The problem might be that:

    The certificate might be Invalid
    The certificate wasn't issued by a trustworthy authority.
    This happens with some frequency when integrating in non-productive environments, since the certificates installed on those environments are usually self-signed.

    Resolution

    Navigate to the service URL using a browser, and check for certificate errors. The error message displayed by the browser should help you troubleshoot what's causing the error. If you don't see any certificate error on your local browser, repeat the test using a browser installed on the server with the problem.

    The most frequent reasons for an SSL certificate validation to fail are:

    The hostname used in the URL doesn't match the name that's on certificate. Make sure the URL you're using and the URL on the 'Issued to' field of the certificate are the same;
    The certificate expired. Install a valid certificate, or contact the support of the system you're trying to integrate with;
    The Certificate Root Authority that issued the certificate is not trusted by the server. Make sure to Install the Root Certificate on the server;
    The certificate is self-signed. Make sure to Install the certificate as trusted.
    Original Message


  • 4.  RE: Facing SSL related issue
    Best Answer

    Posted Nov 04, 2019 10:56 PM
    Hi Charles/Atul,

    Thanks a lot for your valuable inputs.

    The issue has been resolved and as stated by Atul, it was occurring due to Self Signed Certs which customers were using in PROD environment.
    I changed the certificate and updated the correct Certificate Chain in order to establish a secure connection.

    Once again thanks for your all valuable inputs.

    Cheers
    Pratyush
    Original Message