[APIMANAGER-4268] javax.net.ssl.SSLException: Received fatal alert: unknown_ca error thrown intermittently when invoking the methods of an API via API console Created: 26/Nov/15  Updated: 16/Jul/16  Resolved: 18/Dec/15

Status: Resolved
Project: ZZZ-WSO2 API Manager
Component/s: store
Affects Version/s: 1.10.0-alpha
Fix Version/s: None

Type: Bug Priority: High
Reporter: Nayomi Dayarathne Assignee: Nuwan Dias
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Pack : wso2am-1.10.0-alpha
Java version : Oracle jdk 1.7.0
DB Version : embedded H2
OS : Ubuntu 14.04 LTS
Browser : Firefox 40.0.3


Severity: Major
Estimated Complexity: Moderate
Test cases added: No

 Description   

Steps to recreate :

1. Create and publish an API.
2. Subscribe to API.
3. Go to API console and Invoke it's methods.

No response was shown in console.
Below error can be seen in APIM logs.

 ERROR - SourceHandler I/O error: Received fatal alert: unknown_ca
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1639)
	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1607)
	at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1776)
	at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1068)
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:890)
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:764)
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
	at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:228)
	at org.apache.http.nio.reactor.ssl.SSLIOSession.decryptData(SSLIOSession.java:359)
	at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:394)
	at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:119)
	at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:159)
	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:338)
	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:316)
	at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:277)
	at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:105)
	at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:586)
	at java.lang.Thread.run(Thread.java:745)


 Comments   
Comment by Lakmali Erandi Baminiwatta [ 27/Nov/15 ]

Refer https://wso2.org/jira/browse/APIMANAGER-3696

Comment by Shashika Ubhayaratne [ 27/Nov/15 ]

Observed this issue on standalone pack (with default key stores) on Firefox browser only.
This works fine on chrome.

Error message:
[2015-11-27 13:36:20,728] ERROR - SourceHandler I/O error: Received fatal alert: bad_certificate
javax.net.ssl.SSLException: Received fatal alert: bad_certificate
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:228)
at org.apache.http.nio.reactor.ssl.SSLIOSession.decryptData(SSLIOSession.java:359)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:394)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:119)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:159)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:338)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:316)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:277)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:105)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:586)
at java.lang.Thread.run(Thread.java:745)

Comment by Shashika Ubhayaratne [ 27/Nov/15 ]

This could solve when the certificate is approved from Firefox.

Comment by Isabelle Mauny [ 15/Dec/15 ]

Have the same problem in the beta, with the sample API. The exception is thrown by our server, not by the browser. Even if we use https://localhost it's not working. I have the same problem in Chrome.

Comment by Lakmali Erandi Baminiwatta [ 15/Dec/15 ]

Yes this is seen even for localhost. Can you please try loading https://localhost:8280+offset and accepting the certificate ?

Comment by Nuwan Dias [ 18/Dec/15 ]

There's a technical barrier in fixing this. The root cause of the issue is because the default pack doesn't ship with a CA signed cert.

When using the API Console, the web browser sends a https request to the Gateway. Since the cert on the Gateway is not CA signed, the browser will not accept it. To workaround the issue, you need to access the Gateway url (https://192.168.10.100:8243) on a new tab of the same browser and trust the cert from the browser. This will make the API Console work.

Comment by Samitha Chathuranga [ 16/Jul/16 ]

The workaround works. Thanks Nuwan. I think the workaround for this should be mentioned in the Quick Start Guide in the documentation, ( https://docs.wso2.com/display/AM1100/Quick+Start+Guide#QuickStartGuide-InvokingyourfirstAPI ) in an appropriate way, without mentioning it as an issue. Because I guess most of the new Api Manager users/ possible customers go through this guide, and they also use this default pack with the given sample, but result is that this doesn't work. I think that is never good. But actually this is not an issue when it is in the production environment. WDYT ?

Generated at Thu Nov 21 08:54:44 IST 2019 using JIRA 7.2.2#72004-sha1:9d5132893cc8c728a3601a9034a1f8547ef5c7be.