We have a family of applications that includes an exposed API. The HTTP security setting for that REST API was always SSL/TLS. We had a SAN SSL cert applied to the production environment from launch. The application was working properly for all users.
That cert was expiring, so we followed the renewal process here, and then created a solution and republished all the modules in the production environment. The REST API does not accept incoming requests now when the services the requests originate from require SSL certificate validation. The cloud database service our team uses throws up this error:
IPFilteringHTTPSConnectionPool(host='ourOutsystemsDomain.com', port=443): Max retries exceeded with url: /Portal_API/rest/API/NewDocReady (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:757)'),))
And Postman throws this error:
SSL Error: Unable to verify the first certificate
Are there any troubleshooting steps I should follow in Lifetime or Service Center to fix this? Did I do something wrong when renewing the SSL cert? Everything was validated on the platform before I was even able to apply it to our production environment.
The issue stemmed from a misreading or a lack of understanding on how to interpret this part of the above linked OutSystems docs:
Certificate Chain: The intermediate certificate trust chain. This field is optional, however, if the Certificate Authorities isn't already trusted on all browsers by default, this is mandatory.
An intermediate certificate was mandatory in our case, and it took us a while to figure that out. Further adding to the confusion though was that the process of creating a new domain certificate validated the certificate when that Certificate Chain field was empty, and when the incorrect certificate was included in that field. We were finally able to obtain an intermediate certificate, which from our issuer is not included by default, and all is working now.
Hi Daniel,
I'm not sure I quite understand. When connecting to a REST API via HTTPS, that REST API must have a valid certificate. However, you are talking about republishing the modules, which makes me believe there's some authentication going on based on a certificate that the client is sending?
If it's just the RESP API's certificate we're talking about, try to access the URL via Chrome or another browser. It will likely throw the same type of certificate error, but via the dev tools you will be able to check the certificate, and see what's wrong.