Need help with outbound rest failures with "[ERROR CODE: -1 ] No issuer certificate found", only occuring AFTER upgrade to New York

Go to solution
Elhanan1
Kilo Contributor

‎04-15-2020 01:13 PM

 

We are on premise (aka locally hosted) 
After our New York upgrade we began to get failures on outbound rest api calls that have been historically working for over a year. 

e.g., from our node log: 

Default-thread-13 9EA9B79FB8C01090BBD1F321CAB1704B txid=d56188e3b804 OUTBOUND_HTTP: protocol=HTTP/1.1 response_status=-1 response_time=61 request_length=0 response_length=-1 app_scope=global session_id=9EA9B79FB8C01090BBD1F321CAB1704B transaction_name="#1934641 /sys_rest_message_fn.do" user_name=xxxxxxx mid_server= source_table=sys_ui_action source_record=48c17ed207131000dada43c0d1021e83 system_id=sourcesystem.com:nodename method=GET log_level=Basic scheme=https hostname=XXXXXX path=/xxxxxxx/api/xxxxxx/xxxxx url=https://XXXXXX/xxxxxxx/api/xxxxxx/xxxxx response_body="[ERROR CODE: -1 ] No issuer certificate found for XXXXXXX"

 

There have been no changes to the outbound api server; its SSL certificates are NOT expired.

Web Browser shows no issue in the chain (although openssl s_client does complain about it ).

I can execute the same api via curl on the node server (I give it the --insecure option).  Is there a similar "insecure" or SSL ignore property we can set?  Why after a new york upgrade is this failing?

 

Thanks

Labels:
0 Helpfuls
  • 2,795 Views
1 ACCEPTED SOLUTION

Go to solution
Ashutosh Munot1
Kilo Patron
Kilo Patron

‎04-15-2020 01:21 PM

HI,

Resolution

There are two options to resolve this: 

(1) Clean up the endpoint so that there are no more certificate errors seen when executing the: openssl s_client -connect <endpoint hostname or IP address>:<port> -showcerts
(2) To ignore these certificate errors (i.e. remove the tighter certificate standards) add this system property to the instance: 

Name = com.glide.communications.httpclient.verify_revoked_certificate 
Type = true|false 
Value = false 

 

Thanks,

Ashutosh

View solution in original post

2 REPLIES 2

Go to solution
Ashutosh Munot1
Kilo Patron
Kilo Patron

‎04-15-2020 01:21 PM

HI,

Its a know issue:

https://hi.service-now.com/kb_view.do?sysparm_article=KB0760206

 

Thanks,
Ashutosh

0 Helpfuls

Go to solution
Ashutosh Munot1
Kilo Patron
Kilo Patron

‎04-15-2020 01:21 PM

HI,

Resolution

There are two options to resolve this: 

(1) Clean up the endpoint so that there are no more certificate errors seen when executing the: openssl s_client -connect <endpoint hostname or IP address>:<port> -showcerts
(2) To ignore these certificate errors (i.e. remove the tighter certificate standards) add this system property to the instance: 

Name = com.glide.communications.httpclient.verify_revoked_certificate 
Type = true|false 
Value = false 

 

Thanks,

Ashutosh