I am using WSO2 API manager and keycloak servers for API gateway and user authentication. Both are running on Openshift 3.11. On the browser, while trying to redirect to a store page on wso2 apim getting below error. Also, I am using a self-signed certificate generared using keytool for both the servers and it is also imported into JVM cacerts respectively. Open JDK version is 1.8.
ERROR - WebAppManager org.mozilla.javascript.WrappedException: Wrapped javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (/store/jagg/jaggery_oidc_acs.jag#39)
I am getting fatal Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown in the ssl logs SSL Trace
WSO2 api manager serverlogs
*** ClientHello, TLSv1.2
RandomCookie: GMT: -779209738 bytes = { 34, 29, 203, 199, 214, 88, 147, 174, 199, 184, 79, 68, 86, 150, 221, 45, 65, 169, 84, 10, 255, 155, 151, 74, 102, 245, 103, 39 }
Session ID: {42, 139, 29, 172, 52, 46, 203, 207, 29, 65, 141, 230, 125, 206, 41, 206, 87, 139, 101, 118, 40, 54, 120, 240, 148, 225, 222, 95, 130, 19, 238, 225}
Cipher Suites: [Unknown 0xa:0xa, Unknown 0x13:0x1, Unknown 0x13:0x2, Unknown 0x13:0x3, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Unsupported extension type_43690, data:
Extension server_name, server_name: [type=host_name (0), value=wso2carbon-customwso2.10.100.90.136.nip.io]
Unsupported extension type_23, data:
Extension renegotiation_info, renegotiated_connection: <empty>
Extension elliptic_curves, curve names: {unknown curve 10794, unknown curve 29, secp256r1, secp384r1}
Extension ec_point_formats, formats: [uncompressed]
Unsupported extension type_35, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension status_request, data: 01:00:00:00:00
Extension signature_algorithms, signature_algorithms: SHA256withECDSA, Unknown (hash:0x8, signature:0x4), SHA256withRSA, SHA384withECDSA, Unknown (hash:0x8, signature:0x5), SHA384withRSA, Unknown (hash:0x8, signature:0x6), SHA512withRSA, SHA1withRSA
Unsupported extension type_18, data:
Unsupported extension type_51, data: 00:29:2a:2a:00:01:00:00:1d:00:20:99:11:79:8f:3e:ca:9d:37:55:00:cf:54:3b:23:10:b1:71:93:92:06:81:ee:0f:b8:53:6e:e2:bf:23:b2:35:4e
Unsupported extension type_45, data: 01:01
Unsupported extension type_43, data: 0a:4a:4a:03:04:03:03:03:02:03:01
Unsupported extension type_27, data: 02:00:02
Unsupported extension type_47802, data: 00
Unsupported extension type_21, data: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
***
%% Initialized: [Session-11, SSL_NULL_WITH_NULL_NULL]
%% Negotiating: [Session-11, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1558345095 bytes = { 0, 101, 202, 146, 210, 87, 107, 127, 247, 125, 156, 64, 134, 222, 141, 197, 11, 134, 90, 77, 183, 201, 188, 129, 108, 229, 69, 60 }
Session ID: {93, 226, 118, 135, 111, 45, 217, 124, 93, 2, 72, 71, 38, 116, 139, 207, 16, 91, 42, 171, 119, 141, 227, 122, 189, 253, 147, 133, 229, 78, 153, 32}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=wso2carbon-customwso2.10.100.90.136.nip.io, OU=Support, O=WSO2, L=Colombo, ST=Western, C=LK
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 24093749320119526217646893112163833209990474156688526832095621197039887367241482686643283752190553598539694041780318444455437473717327292475492934518259361370685860893170612648201871219684080088211608067291176086279564665228754086702863628019875085423939062501065434105176143021495735869756161068709421567662413327234744251786230141003775511653021592979156235418584147136970244449197736325946516688826096049982279922898011020940527605742056019219863317365450049812143562126732358220198845931195726312193213776283582315871213628750612092393628809426922961515763709022778700015014889582902887232786822789004520865673971
public exponent: 65537
Validity: [From: Fri Nov 29 07:02:23 UTC 2019,
To: Mon Nov 26 07:02:23 UTC 2029]
Issuer: CN=wso2carbon-customwso2.10.100.90.136.nip.io, OU=Support, O=WSO2, L=Colombo, ST=Western, C=LK
SerialNumber: [ 24b1e8e1]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D0 AC 4E 4A 58 57 29 25 C2 C4 0B 1A AD 3E 66 2E ..NJXW)%.....>f.
0010: C1 8A EC 66 ...f
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 1D 01 81 69 ED BF F6 10 F6 17 D4 F2 87 63 D5 A2 ...i.........c..
0010: 12 CF 1A 09 ED FA E5 E3 24 18 03 FF E0 3B 0C A5 ........$....;..
0020: 31 0C D8 4B C5 FB 61 10 61 F5 42 71 E3 52 2F 70 1..K..a.a.Bq.R/p
0030: 97 B8 1F 61 96 0C 5F DB BA B5 A2 DF 42 79 E3 BA ...a.._.....By..
0040: 3C A8 C0 9C A5 8C 70 F9 51 46 36 39 D6 5A AA D7 <.....p.QF69.Z..
0050: 6E DD F0 35 E0 D0 FC AA 78 C2 57 4D BC E8 B1 FB n..5....x.WM....
0060: FF 03 C5 39 5B 06 8C FC 6F DA 42 B4 13 7D A9 14 ...9[...o.B.....
0070: 7B D2 5F A0 29 28 52 78 D8 F7 E7 2E 26 78 1C 4F .._.)(Rx....&x.O
0080: 16 A8 6B 02 3B FA 40 F2 4B AD 03 7D D0 9A F9 94 ..k.;.@.K.......
0090: 7E A9 48 D4 B6 58 A9 61 4E F0 CF 9A B5 77 8C B7 ..H..X.aN....w..
00A0: 74 76 FF 24 F2 B5 98 EE 70 1E 04 48 6F 54 1B EC tv.$....p..HoT..
00B0: 98 B8 7B B0 58 F3 11 F5 FB 2B 39 5C 3E 78 83 E5 ....X....+9\>x..
00C0: 86 2A 4A 83 D6 4C 8D 08 54 43 C3 57 5F C1 27 9A .*J..L..TC.W_.'.
00D0: 31 E8 77 A9 0B 2B F3 25 CB 7A 30 CF 45 CA 80 2A 1.w..+.%.z0.E..*
00E0: 4A C2 AC 5C 79 8F 25 70 E8 20 11 FC B5 BC 3E 1D J..\y.%p. ....>.
00F0: B4 B3 69 5D F9 2E 5C 83 AB 8F C3 1C A7 B1 5F F0 ..i]..\......._.
]
***
*** ECDH ServerKeyExchange
Signature Algorithm SHA256withRSA
Server key: Sun EC public key, 256 bits
public x coord: 30783140126565731034039954914815296826962617090801880033831456830219573014758
public y coord: 112055812426524440654969792257542967866103028528061549518876777480127240144881
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** ServerHelloDone
http-nio-9443-exec-17, WRITE: TLSv1.2 Handshake, length = 1375
http-nio-9443-exec-19, READ: TLSv1.2 Alert, length = 2
http-nio-9443-exec-19, RECV TLSv1.2 ALERT: fatal, certificate_unknown
http-nio-9443-exec-19, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
http-nio-9443-exec-19, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
http-nio-9443-exec-19, called closeOutbound()
http-nio-9443-exec-19, closeOutboundInternal()
http-nio-9443-exec-19, SEND TLSv1.2 ALERT: warning, description = close_notify
http-nio-9443-exec-19, WRITE: TLSv1.2 Alert, length = 2
Using SSLEngineImpl.
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
