This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Cert Error for Apigee hosted endpoint

Posted on 10-13-2022 10:51 AM
kshah
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi - 

We are getting the following error in Postman. Any ideas on what might be happening? Yes, I can disable the SSL certificate, but I do not really want to tell our customers that. So what do I need to do to make this work for our customers seamlessly on Apigee/server side?

kshah_0-1665683398559.png

 

BTW, Our cert analysis says incomplete. I would appreciate if someone can advice on what we need to do there and if that can help fix the issue.

https://www.ssllabs.com/ssltest/analyze.html?d=api.trestleiq.com

Kushal. 

 

 

 

0 1 129
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
API-Evangelist
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

Can you please provide more information? Is it one way tls/ mutual tls?
Few things to make sure you are doing it correctly. Wasn't too impressed by the ssl test -- not impressive rating.

May be proper chain isn't provided during the virtual host setup & looks broken.


0. create/upload the key + certificate chain properly to the platform in tls keystore.
1. create/upload certs to trust store
2. create proper references for keystore & trust store ..map them appropriately

3. Always allow only >tls1.2 (configurable in virtual host)
eg:
<Property name="ssl_protocols">TLSv1.2</Property>


4..Restrict poor ciphers & enable strong ciphers (if possible)
eg:
<Property name="ssl_ciphers">ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256</Property>


All these you can do in VH properties -https://docs.apigee.com/api-platform/fundamentals/virtual-hosts

Mutual TLS:

Example:

<VirtualHost name="ssl">
<Port>443</Port>
<HostAliases>
<HostAlias>api.trestleiq.com</HostAlias>
</HostAliases>
<SSLInfo>
<Enabled>true</Enabled>
<ClientAuthEnabled>true</ClientAuthEnabled>
<KeyStore>ref://trestleiq-ks-ref</KeyStore>
<KeyAlias>trestleiq</KeyAlias>
<TrustStore>ref://trestleiq-ts-ref</TrustStore>
</SSLInfo>
<PropagateTLSInformation>
<!-- PropagateTLSInformation is Alpha in the Cloud only -->
<!-- <ConnectionProperties>true</ConnectionProperties>
<ClientProperties>true</ClientProperties> -->
</PropagateTLSInformation>
<Properties>
<!-- ssl_protocols is Private Cloud only -->
<Property name="ssl_protocols">TLSv1.2</Property>
<Property name="ssl_ciphers">ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256</Property>
</Properties>
</VirtualHost>

Just for awareness - bed time read on tls1.3 🙂

https://www.rfc-editor.org/rfc/rfc8446

Good luck.

0 Likes