We are using WSO2 integrator 6.4. To be able to connect to 3rd party HTTPS servers, we need to add server's certificate to client-truststore.jks. A lot of servers now use certificates from https://letsencrypt.org with 3 months TTL. That means we must renew certificates every three months for every 3rd part server in our enviroment otherwise we get "Error in Sender" error. Is there a way to disable certificate checking in WSO2 EI at all? Or maybe it is possible to make some automatic scenario to renew certificates in client-truststore.jks? Or can we check certificates in client-truststore.jks inside wso2 ei itself and send warnings before expiration?
A little basic in TLS trust.
When do you have explicit trust, trusting individual certificates (often done for self-signed certificates). Indeed this approach creates significant management overhead, mainly when onboarding, offboarding new service hosts or with short-lived certificates.
For TLS (SSL) an implicit trust is used. Your application trusts a list of (long lasting) the issuers - Certificate authorities (CA). Event the list of the CA certificates change over time, so some manual management may be necessary anyway.
Is there a way to disable certificate checking in WSO2 EI at all?
Yes, there is (in axis2.xml), but that lowers the security and the traffic would be vulnerable to a man-in-the-middle attack.
We solved this issue by adding only root CA certificates of letsencrypt to client-truststore.jks.
Yes, this is the correct approach. If you have closed environment (not able to access internet), you may need to add all the certificate chain (root and iternmediate signing certificates)