Solved: Re: Target end point issue

Amer-Hijazi · 10-20-2024 08:30 AM

Dears,

I hope you are doing well.

I am facing an issue in the <HTTPTargetConnection> configurations

If I set the URL to HTTP within <SSLInfo> it will work fine but if I set it to https it shows me the above error

and if I remove the tag <SSLInfo> and use https it will work fine

Are there any support recommendations or configuration issues on the server level?

Best Regards

Amer Hijazi

nmarkevich

Hey @Amer-Hijazi, you have a typo in the Enabled tag. Apigee doesn't recognize <Enable>true</Enable> and tries to configure the target endpoint without SSL enabled, but at the same time, it sees that you have https specified in the URL. Such inconsistency prevents the proxy from being deployed.

View solution in original post

dchiesa1

Seems like your Apigee is configured to accept RSA keys of minimum size 2048 bits, and the upstream / target system is presenting a cert that uses an RSA key of 1024 bits. So you need to connect with your target. From the error message it's really clear which cert it is. You can contact the person at the email address to discuss the solution.

If you need complete details you can use openssl to interrogate the target endpoint and see the specific keys + certs.

One option to solve this is to reconfigure Apigee to accept lower-strength keys. I would never recommend that, because reducing security seems like a bad idea.

View solution in original post

nmarkevich

Hey @Amer-Hijazi, you have a typo in the Enabled tag. Apigee doesn't recognize <Enable>true</Enable> and tries to configure the target endpoint without SSL enabled, but at the same time, it sees that you have https specified in the URL. Such inconsistency prevents the proxy from being deployed.

dchiesa1

Additionally: If you run your proxy through apigeelint, it would have flagged that problem for you.

Amer-Hijazi

Dear @nmarkevich

You are right I noted thanks

Why does such an error appear is it related to the target server certificate?

Also what if the target won't change his certificate how can I bypass this error?

{"fault":{"faultstring":"SSL Handshake failed java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits: RSA 1024 bit key used with certificate: EMAILADDRESS=************, CN=TCC, OU=DS, O=TCC, C=SA","detail":{"errorcode":"messaging.adaptors.http.flow.SslHandshakeFailed"}}}

Thank you

dchiesa1

Seems like your Apigee is configured to accept RSA keys of minimum size 2048 bits, and the upstream / target system is presenting a cert that uses an RSA key of 1024 bits. So you need to connect with your target. From the error message it's really clear which cert it is. You can contact the person at the email address to discuss the solution.

If you need complete details you can use openssl to interrogate the target endpoint and see the specific keys + certs.

One option to solve this is to reconfigure Apigee to accept lower-strength keys. I would never recommend that, because reducing security seems like a bad idea.