Application Server SSL-Certificates

  • 10 August 2016
  • 17 reacties
  • 2124 keer bekeken
michieljol
Rank
Reputatie 2
Badge +1
This post has become obsolete as it was incorporated in the Application Server SSl certificates and authentication tokens topic.

All application server must have a valid SSL certificate to create a secure HTTPS connection. Please refer to your system administrator is you're unsure about setting this up.

If your application server does not have a SSL certificate, you can shop online for one. You can get a paid version at https://www.thesslstore.nl/ or https://www.sslcertificaten.nl/ for instance or you can use the limited free version of https://letsencrypt.org/. Which one you use is up to you.

To check if your certificate is properly installed you can open your application server URL in your browser and check for a secure connection (most browsers will notify you when there is a problem with your certificate). Also you can use the online tool https://www.ssllabs.com/ssltest/ to do an elaborate scan of your certificate.

Note that servers should use TLS 1.2 or higher and route trafic only through port 443

17 reacties

marcelmaatkamp
Are you sure that LetsEncrypt certificates are currently accepted by your backend?

I have set up a server with a valid LetsEncrypt certificate and validated it with https://www.ssllabs.com/ssltest but a test-post from your backend to our server results in a

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target

Some digging in google resulted in the following post http://stackoverflow.com/questions/34110426/does-java-support-lets-encrypt-certificates

It seems the certificate from LetsEncrypt is supported from java version 1.8.0_101 and have verified that SSLPoke with java version 1.8.0.96 resulted in the exact same error as above, but SSLPoke with java version 1.8.0_101 could indeed successfully connect to my server.

SSLPoke can be downloaded from https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html
michieljol
Rank
Reputatie 2
Badge +1
@marcelmaatkamp: thanks for your reply here. We will need to do some digging to answer your question, will get back to you.
B
Hello Michiel,

I have the same problem as Marcel, I get also an error message :
Response status: -1 CONNECTION FAILED, ETag: null, body: 'javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target']

I use a letsencrypt SSL certificate on a apache webserver. When i run https://www.ssllabs.com/ssltest it seem that everything is Okay. The CA Root certificate is from "DST Root CA X3" .

Is this a problem on my server or is this a problem on de KPN site?
V
@michieljol I'm having the exact same problem as @marcelmaatkamp.

Also verified my certificate using https://www.ssllabs.com/ssltest, but got the same error message when performing the test in the developer portal.
I've also just tried to send packets from my device, but those packets did not make it through to my server.
Using the 'old' KPN interface (deviceManager) it was working just fine with the same setup, so to me it seems to be an issue in the new DeveloperPortal.
michieljol
Rank
Reputatie 2
Badge +1
Hi Vidavidorra, it seems that it is indeed a Developer Portal issue. We are trying to pinpoint it right now, will keep you posted.
michieljol
Rank
Reputatie 2
Badge +1
Hi All, Quick update: we have pinpointed it to be indeed an old Java version somewhere in the back-end of the Developer Portal. We are now working on a solution.
michieljol
Rank
Reputatie 2
Badge +1
Hi All, we need some more input about the error. Can anyone PM me a link to an end-point that shows the above behaviour when testing from the developer portal?
marcelmaatkamp
I currently cannot provide a backend with Letsencrypt certificates because we installed a temporary ssl-certificate from another provider but that one will expire in 80 days, so Letsencrypt something we absolutely want!
michieljol
Rank
Reputatie 2
Badge +1
We have updated our portal with a patch that should fix this problem. Could you verify that it is working?
V
I've just tested it using the 'test' button in the developer portal and still get the same error.
As extra info the error code below (please note that I did re-added the device to the portal.) Is it required to delete and add the device again in the portal??
code:

Server returned HTTP response code -1

Response info: 
Error in sending rest post to developer url https://URL, for device DEVNO, payloadhex 22010. Error details: restservices.consume.RestConsumeException 400. Rest request failed: [HTTP Request: POST 'https://URL?LrnDevEui=DEVNO&LrnFPort=1&LrnInfos=null&AS_ID=yourcompany.developer&Time=2016-10-10T10:29:44.332+02:00&Token=TOKEN' --> Response status: 400 Bad Request, ETag: null, body: '{"error":{"description":"Parameter CustomerID missing in body.","key":"missing_customerid","function":"Service"}}']
B
michel.

i get a return code 200. this is better.



Server returned HTTP response code 200

Response info:
Informatie van GET

Array ( [LrnDevEui] => 0059AC00001815BB [LrnFPort] => 1 [LrnInfos] => null [AS_ID] => yourcompany.developer [Time] => 2016-10-10T11:16:17.256


Informatie van POST
Array ( )
michieljol
Rank
Reputatie 2
Badge +1
@Bjorn: good, seems ok.
@vidavidorra: this seems to me to be not a certificate error but an error from your server because it checks a customer ID and does not encounter it on the test message. Please note that the test button actually sends a LoRa-like message to your server, but since no device is associated, many fields will be left empty or at NULL. If you catch the testmessage post you will see this. I suspect your server to reject messages like these and nicely create an error. Could this be the case?
marcelmaatkamp
I can successfully connect with a LetsEncrypt certificate to my backend and got a nice clean 200 back and verified that the POST did indeed return a valid response.

Thanks for looking into this, it really helped us!
marcel
V
@michieljol I've just tested it again, and is indeed because our server is not able to find certain fields we are checking to verify the origin of the message. So this issue with certificates is now resolved (using AWS) as backend.
Thanks for the help!
M
Hi, We are using a StartCOM certificate and after testing it gets a A-status. However in the Developer Portal I am getting a SSL-error. Doing a TCP-dump on the server does not reveal any interesting information except that the KPN-server is saying HELO :)

Error in sending rest post to developer url https:///put, for device 0059AC0000180F00, payloadhex 000000. Error details: restservices.consume.RestConsumeException -1. Rest request failed: [HTTP Request: POST '/put?LrnDevEui=0059AC0000180F00&LrnFPort=1&LrnInfos=null&AS_ID=TentaclesInnovation.developer&Time=2016-11-28T16:19:57.891+01:00&Token=fd47c092163d0c79e214651facde780b065f8f63a041117d29f2d008eabdc455' --> Response status: -1 CONNECTION FAILED, ETag: null, body: 'javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target']
J.N.Mol
@michieljol The response on sending a 'test uplink' is:

Server returned HTTP response code -1

Response info:
Error in sending rest post to developer url https://url, for device x, payloadhex 000000. Error details: javax.net.ssl.SSLException hostname in certificate didn't match: != OR OR


Testing my SSL certification on ssllabs.com gives an overall rating A.

What does the response mean?
Tim
Reputatie 7
Badge +11
Hello @J.N.Mol, it looks like you're having a problem with the SNI settings. We are awaiting an update of our platform to support this. The workaround for now is that the certificate you're using for lora should be on top of the web service / chain.
Met vriendelijke groet, Tim | - Blij met een reactie? Met een Like geeft u waardering! -

Reageer


Forumvoorwaarden