Topic
  • 7 replies
  • Latest Post - ‏2014-01-16T16:39:17Z by jgstew
MattPeterson
MattPeterson
17 Posts

Pinned topic REST API Certificate error

‏2013-12-18T17:25:04Z |

Everytime I access the rest api from IE I recieve a certificate error.  Even if I choose to download the certificate presented by the site, I continue to get the errors.  I've been able to import our own signed certificate for Web Reports, but REST API seems to create it's own certificate.  Has anyone else had issues with this?  What are my options to avoid the certificate errors?

  • jgstew
    jgstew
    52 Posts

    Re: REST API Certificate error

    ‏2013-12-19T00:45:42Z  

    I use CURL and there is a command line option to ignore certificate errors.

     

    This does bring up the question, can you install a valid signed SSL certificate for the root server, so that it would not have this error?

  • MattPeterson
    MattPeterson
    17 Posts

    Re: REST API Certificate error

    ‏2013-12-19T14:27:38Z  
    • jgstew
    • ‏2013-12-19T00:45:42Z

    I use CURL and there is a command line option to ignore certificate errors.

     

    This does bring up the question, can you install a valid signed SSL certificate for the root server, so that it would not have this error?

    James,

    I guess that is what I would like to do.  Like I said I followed the process to import a signed certificate for the web reports server, how can I do the same for the REST API?

  • jgstew
    jgstew
    52 Posts

    Re: REST API Certificate error

    ‏2013-12-19T17:19:44Z  

    James,

    I guess that is what I would like to do.  Like I said I followed the process to import a signed certificate for the web reports server, how can I do the same for the REST API?

    Thats exactly what I am asking as well, I have no idea how to do it. Hoping someone from IBM will chime in. 

  • DanielHwang
    DanielHwang
    2 Posts

    Re: REST API Certificate error

    ‏2014-01-06T22:20:39Z  
    • jgstew
    • ‏2013-12-19T17:19:44Z

    Thats exactly what I am asking as well, I have no idea how to do it. Hoping someone from IBM will chime in. 

    This does bring up the question, can you install a valid signed SSL certificate for the root server, so that it would not have this error?

    This error message isn't a Root Server error. Rather, the client, in your case Internet Explorer, cannot verify the SSL certificate. If you add the Root Server's SSL certificate to the list of trusted certificates on Internet Explorer, you would no longer see this error message.

    how can I do the same for the REST API?

    The REST API is accessible via HTTP. The IEM command line tool we provide is simply a thin wrapper to the cURL command line tool. Currently, that tool does not have a built in trusted certificate store.

    As jgstrew mentions, you could use the cURL command line tool with the option -k/--insecure. See http://curl.haxx.se/docs/sslcerts.html for more details.

  • jgstew
    jgstew
    52 Posts

    Re: REST API Certificate error

    ‏2014-01-13T15:00:47Z  

    This does bring up the question, can you install a valid signed SSL certificate for the root server, so that it would not have this error?

    This error message isn't a Root Server error. Rather, the client, in your case Internet Explorer, cannot verify the SSL certificate. If you add the Root Server's SSL certificate to the list of trusted certificates on Internet Explorer, you would no longer see this error message.

    how can I do the same for the REST API?

    The REST API is accessible via HTTP. The IEM command line tool we provide is simply a thin wrapper to the cURL command line tool. Currently, that tool does not have a built in trusted certificate store.

    As jgstrew mentions, you could use the cURL command line tool with the option -k/--insecure. See http://curl.haxx.se/docs/sslcerts.html for more details.

    > This error message isn't a Root Server error. Rather, the client, in your case Internet Explorer, cannot verify the SSL certificate. If you add the Root Server's SSL certificate to the list of trusted certificates on Internet Explorer, you would no longer see this error message.

     

    This is incorrect. The issue is the Root Server's SSL cert is not validly signed so it is rejected by default by all HTTP clients that validate SSL, as they should.

    Telling an HTTP client to skip SSL validation or to install an unsigned SSL cert into every single clients' certificate store so that it appears to be valid is not a solution, it is a very poor workaround. 

    The solution is for the Root Server's SSL certificate to be valid in the first place. How do you install a validly signed SSL cert for IEMserver.organization.tld so that the Root Server's SSL cert is not rejected?   This is the question we are asking to solve the problem, not how to get around the problem.

     

  • DanielHwang
    DanielHwang
    2 Posts

    Re: REST API Certificate error

    ‏2014-01-15T23:10:17Z  
    • jgstew
    • ‏2014-01-13T15:00:47Z

    > This error message isn't a Root Server error. Rather, the client, in your case Internet Explorer, cannot verify the SSL certificate. If you add the Root Server's SSL certificate to the list of trusted certificates on Internet Explorer, you would no longer see this error message.

     

    This is incorrect. The issue is the Root Server's SSL cert is not validly signed so it is rejected by default by all HTTP clients that validate SSL, as they should.

    Telling an HTTP client to skip SSL validation or to install an unsigned SSL cert into every single clients' certificate store so that it appears to be valid is not a solution, it is a very poor workaround. 

    The solution is for the Root Server's SSL certificate to be valid in the first place. How do you install a validly signed SSL cert for IEMserver.organization.tld so that the Root Server's SSL cert is not rejected?   This is the question we are asking to solve the problem, not how to get around the problem.

     

    >This is incorrect. The issue is the Root Server's SSL cert is not validly signed so it is rejected by default by all HTTP clients that validate SSL, as they should.

    Yes, it is rejected because the Root Server's SSL certificate is not a part of the client's trusted certificate chain. Unless specified, the Root Server uses a self-signed SSL certificate that is not a part of Internet Explorer's nor cURL's default trusted certificate chain.

    You can specify a different SSL certificate using the following client settings:

    _BESRelay_HTTPServer_SSLCertificateFilePath, with value as the path to the SSL certificate

    _BESRelay_HTTPServer_UseSSLFlag, with value 1

  • jgstew
    jgstew
    52 Posts

    Re: REST API Certificate error

    ‏2014-01-16T16:39:17Z  

    >This is incorrect. The issue is the Root Server's SSL cert is not validly signed so it is rejected by default by all HTTP clients that validate SSL, as they should.

    Yes, it is rejected because the Root Server's SSL certificate is not a part of the client's trusted certificate chain. Unless specified, the Root Server uses a self-signed SSL certificate that is not a part of Internet Explorer's nor cURL's default trusted certificate chain.

    You can specify a different SSL certificate using the following client settings:

    _BESRelay_HTTPServer_SSLCertificateFilePath, with value as the path to the SSL certificate

    _BESRelay_HTTPServer_UseSSLFlag, with value 1

    Thanks, this is what I was looking for.