Search code examples
ssl-certificatedocker-machineclient-certificateswso2-identity-server

WSO2-IS 5.11.0 - Client SCIM - Received fatal alert: certificate_unknown

I'm trying to make a request to create a new user in WSO2 Identity Server but I can't connect to the api:

javax.net.ssl|ALL|A9|https-jsse-nio-9443-exec-5|2021-06-02 11:37:20.318 GMT|X509Authentication.java:264|No X.509 cert selected for EC
javax.net.ssl|ALL|A9|https-jsse-nio-9443-exec-5|2021-06-02 11:37:20.318 GMT|X509Authentication.java:264|No X.509 cert selected for EC
javax.net.ssl|DEBUG|AB|https-jsse-nio-9443-exec-7|2021-06-02 11:37:20.408 GMT|Alert.java:238|Received alert message (
"Alert": {
  "level"      : "fatal",
  "description": "certificate_unknown"
}
)
javax.net.ssl|ERROR|AB|https-jsse-nio-9443-exec-7|2021-06-02 11:37:20.410 GMT|TransportContext.java:342|Fatal (CERTIFICATE_UNKNOWN): Received fatal alert: certificate_unknown (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:337)
    at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:186)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
    at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:681)
    at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:636)
    at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454)
    at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433)
    at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637)
    at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:499)
    at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:238)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1568)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.base/java.lang.Thread.run(Thread.java:834)}

)

I've already imported my certificate in client-truststore.jks.

Steps:

1-) keytool -genkey -alias custom -keyalg RSA -keysize 2048 -keystore custom.jks -dname "CN=<"wso2-is-ip">, OU=Home,O=Home,L=SL,S=WS,C=LK" -storepass wso2carbon -keypass wso2carbon

2-) keytool -export -alias custom -keystore custom.jks -file custom.pem

3-) Import certificate in /wso2is-5.11.0/repository/resources/security/
keytool -import -alias custom -file custom.pem -keystore client-truststore.jks -storepass wso2carbon

4-) Check if was imported:
keytool -list -v -keystore client-truststore.jks -alias custom -storepass wso2carbon -keypass wso2carbon

Java application:

protected void setKeyStore() {
    System.setProperty("javax.net.ssl.trustStore", "custom.jks");
    System.setProperty("javax.net.ssl.trustStorePassword", "wso2carbon");
    System.setProperty("javax.net.ssl.trustStoreType", "JKS");
}

protected void submit(HttpMethodBase method) throws IOException {
    HttpClient httpUpdateClient = new HttpClient();
        // **************************Erro SSL*******************************
    int responseStatus = httpUpdateClient.executeMethod(method);
        // **************************Erro SSL*******************************
    String response = method.getResponseBodyAsString();
    System.out.println("/******SCIM response status: " + responseStatus);
    System.out.println("SCIM  response data: " + response + "******/");
}

Am I missing anything?

PS: WSO2-IS is running on a docker environment in development environment and I'm trying to connect from local machine.

Solution

  • I've used the certificate that comes with WSO2 IS in my application and it worked.

    wso2is-5.11.0/repository/resources/security/wso2carbon.jks

    protected void setKeyStore() {
    System.setProperty("javax.net.ssl.trustStore", "wso2carbon.jks");
    System.setProperty("javax.net.ssl.trustStorePassword", "wso2carbon");
}