1

I configured APIM with build-in Identety Server inside kubernetes cluster. Everything was working fine but recently we got an error related to expired certificate:

2021-07-29 14:30:35,308 INFO [wso2/gateway/src/gateway/utils] - [APIGatewayListener] [-] HTTP listener is active on port 9090
[ballerina/http] started HTTPS/WSS listener 0.0.0.0:9095
2021-07-29 14:30:35,310 INFO [wso2/gateway/src/gateway/utils] - [APIGatewayListener] [-] HTTPS listener is active on port 9095
2021-07-29 14:31:31,816 INFO [wso2/gateway/src/gateway/utils] - [NotificationEventListener] [-] Recieved event with type : SUBSCRIPTIONS_CREATE
2021-07-29 14:31:59,940 ERROR [ballerina/jwt] - Public key certificate validity period has passed.
2021-07-29 14:31:59,943 ERROR [ballerina/jwt] - JWT validation failed. : error {ballerina/jwt}Error message=Public key certificate validity period has passed.
2021-07-29 14:31:59,945 ERROR [wso2/gateway/src/gateway/utils] - Failed to authenticate with jwt auth provider. : error {ballerina/auth}Error message=JWT validation failed. cause=error {ballerina/jwt}Error message=Public key certificate validity period has passed.

Configmap to deploy certificate

After that I got another error related signature validation failed:

2021-07-29 19:16:42,517 ERROR [ballerina/jwt] - JWT signature validation has failed.
2021-07-29 19:16:42,517 ERROR [ballerina/jwt] - JWT validation failed. : error {ballerina/jwt}Error message=JWT signature validation has failed.
2021-07-29 19:16:42,518 ERROR [wso2/gateway/src/gateway/utils] - Failed to authenticate with jwt auth provider. : error {ballerina/auth}Error message=JWT validation failed. cause=error {ballerina/jwt}Error message=JWT signature validation has failed.

I guess I need to add this new cert to some part to APIM or probably need to add it to keystore. Can you help here please?

GeorgiiG
  • 11
  • 4
  • I believe that you are using the Access Tokens generated by the API Manager in the MGW to access the APIs, and correct me if wrong. In such a case, you need to export the Public cert of the Primary Keystore of the API Manager and add it to the truststore of the MGW. The MGW was not able to validate the JWT token due to expired certs. Therefore, you have to update the certs accordingly in the servers to overcome the behavior. Can you also share the version of APIM and MGW that you are using? – Athiththan Aug 02 '21 at 09:48
  • Hi Athiththan. Thanks for your reply. Im using WSO2-AM 5.2.0. You are wright about JWT. I was able to find wso2carbon.jks and client-truststore.jks inside the APIM pod /home/wso2carbon/wso2am-3.2.0/repository/resources/security. Both have wso2carbon certificates which are expired. 1) Added certificate from cert-manager to MGW controller configmap as I mentioned above 2) Decode certificate from base64 format to .pem file 3) Mount .pem as share file to pod 4) Add this certificate to both existing keystore with wso2carbon alias. Provided actions didnt help for me. Did I miss something? – GeorgiiG Aug 02 '21 at 10:14

0 Answers0