Solved: SSL handshake failure for mTLS northbound connecti... - Page 2

martinjtlive · 07-04-2022 03:03 AM

SSL handshake failure for mTLS northbound connection with Apigee evaluation account

Hello,

I have set up an Apigee evaluation account. Within it I am using the default proxy endpoint (https://34.98.100.102.nip.io/hello-world) and target endpoint (https://mocktarget.apigee.net/user). I have entered the related xml elements to test mTLS. Here is a copy paste of my config. below
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TargetEndpoint name="default">
<PreFlow name="PreFlow">
<Request/>
<Response/>
</PreFlow>
<Flows/>
<PostFlow name="PostFlow">
<Request/>
<Response/>
</PostFlow>
<HTTPTargetConnection>
<URL>https://mocktarget.apigee.net/user</URL>
<SSLInfo>
<Enabled>true</Enabled>
<ClientAuthEnabled>true</ClientAuthEnabled>
<KeyStore>ref://KS</KeyStore>
<KeyAlias>ServerCertAndKey</KeyAlias>
<TrustStore>ref://TS</TrustStore>
</SSLInfo>
</HTTPTargetConnection>
</TargetEndpoint>

To test mTLS, I plan to make a GET request to https://34.98.100.102.nip.io/hello-world via Postman.
Being a northbound connection, my understanding is the proxy endpoint is the server and Postman is the client. Thus using OpenSSL (specifically this link - https://blog.devolutions.net/2020/07/tutorial-how-to-generate-secure-self-signed-server-and-client-c...), I created certificates.
I created the CA key and certificate. When asked for details, I entered 'https://34.98.100.102.nip.io' as Common name.
Then I created the server key, server CSR and server certificate. This was followed by client key, client csr, client certificate.
The common name specified in both server and client csr is https://34.98.100.102.nip.io. Now in Apigee, I created 2 key stores. 1 key store has server certificate(in .pem format) and key. The other key store, I named as TS for Trust Store. It only have client certificate.
In Postman, in the certificates section, I added the server certificate(in .pem format) in the CA section. The client certificate and key in related section.

Now, when I do a GET on https://34.98.100.102.nip.io/hello-world, I get the following error:
{"fault":{"faultstring":"SSL Handshake failed sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target","detail":{"errorcode":"messaging.adaptors.http.flow.SslHandshakeFailed"}}}

Can you please advise me on why I am getting this error and equally important is how to overcome this?

Could it be mTLS is not allowed for an evaluation account?
The OpenSSL page that I used to create the certificates indicated that the key is generated as a 256-bit private key over an elliptic curve, which is the industry standard. Could this be the issue? If so, is there another site that explains how to create certificates and keys for client and server?

Should the common name in the CSRs be different for CA, server and client? Should it be my apigee account hostname that is found here: https://apigee.google.com/organizations/orange-calm-234143/envgroups. It is something like this: orange-calm-234143-eval.apigee.net. I changed the hostname for privacy reasons.

Apigee team and users, your help would be greatly appreciated in my learning of Apigee. Please advise. Thank you.

dchiesa1

I'm considering adding the following xml into the proxy endpoint section:
<SSLInfo>
<Enabled>true</Enabled>
<ClientAuthEnabled>true</ClientAuthEnabled>
<KeyStore>ref://KS</KeyStore>
<KeyAlias>ServerCertAndKey</KeyAlias>
<TrustStore>ref://TS</TrustStore>
</SSLInfo>

That won't work. In Apigee X you must follow the instructions I mentioned in the prior response. ( "In Apigee X, you can refer here for the steps to configure 2-way TLS on the inbound / northbound connection." )

As mentioned in that article, Apigee will not act as the TLS termination point in this case. So you will not configure keys and certs in Apigee for this purpose. Check the article for full details.

View solution in original post