Turning on AS2 #173
Comments
|
Tried upgrading to Oxalis 3.0.1, still same issue |
|
Found #168, looking into the information there |
|
InstallCert fixed it :) |
|
In our log we now got: Is it something wrong with our installation, Oxalis 3.0.1 or Unit4 installation of Oxalis? Adding with InstallCert for every accesspoint failing seems not like a good solution. |
|
Checking our logs further everyone failing is to https://ap.unit4.com/oxalis/as2 no one else. |
|
That was a bit strange, UNIT4 has about 80% inbound AS2 right now - and is based of a standard GlobalSign / G2 which should be included in Java default truststore. I see you have a very old Java VM, could you run the keytool kommand and verify that is contain recent the ROOT CA at least, like this : keytool -list -keystore </path/to/java/lib/security/cacerts> | grep '3E:45:52:15:09:51:92:E1:B7:5D:37:9F:B1:87:29:8A' |
|
I got a hit for that grep in cacerts but it didn't work until I added ap.unit4.com:443 using InstallCert to the jssecacerts file. |
|
If you have "jssecacerts" present that one will be used instead of cacerts. |
|
If you want to use your own "jssecacerts" instead of cacerts I think you'll have to add every CA you want to trust yourself. The "cacerts" that comes shipped with recent Java Runtimes should be enough to run Oxalis. |
|
Telenor have the same problem sending to our accesspoint. Since they also have a lower version of Java than SendRegning/Unit4 hopefully a newer version will fix it. |
|
We have the same problem with one production server - START protocol works fine, but AS2 fails with "unable to find valid certification path to requested target" exception. |
|
installing a cert in "jssecacerts" is not a solution for production system. This is only workaround for development system where we install self-sign certificate. SSL certificates should be trusted automatically. @teedjay Are you working on same? |
|
The reason for AS2 "not beeing patched" is for it to verify some of the PEPPOL AS2 Transport Infrastructure requirements regarding SSL usage, such as :
@aaron-kumar I'm not currently working on something related to this, and it seems like @senikk is about to solve this by adding intermediate certificates so that his server will present the full certificate chain. |
|
You are right, it could be resolved by adding intermediate certificates to a response from server. We will check this as well. |
|
Yes, everything is working once intermediate certificate is added. Thanks! |
|
Working nicely on our server aswell. The other accesspoint having problem sending to us doesn't have the problem anymore :) |
|
That is great news! I'll add the solution to the readme as @pavelsbubens suggested. |
|
The solution has been added to troubleshooting section. |
|
hi, can anyone explain what is the fix? problems occurred after upgrade to 3.0.2.. |
|
The fix is to add any missing intermediate certificate(s) to the certificate chain on the server side. That way the server can present a complete certificate chain to the client. The correct intermediate certificates can be downloaded from the SSL certificate issuers website. |
|
sorry, but the explanation is very blurry. is there some new setup step or requirement? is it for app server keystore or oxalis keystore? app servers keystore always contains intermed.. |
|
You can use ssllabs to verify certificate chain Check Certification Paths sections -> all intermediate certificate(s) should have status Sent by server. |
|
Ports other than 443 not supported.... On Tue, Nov 18, 2014 at 10:29 AM, Pavels Bubens notifications@github.com
simakas@gmail.com |
|
You should use well known port 443 for your AS2 endpoint (se snippets from the PEPPOL AS2 Transport Infrastructure requirements regarding SSL about 11 comments back). The certificate chain issue is not directly related to any Oxalis configuration files at all and you should not do anything to your Oxalis keystores or Java keystores. Often HTTPS is not even handled by the application server running Oxalis at all but terminated at a load balancer or reverse-proxy layer in front (by software such as nginx, apache, haproxy). So which format the SSL certificate + intermediates needs to be in and how they are installed are very much dependant on your setup. If you have just the SSL certificate as a ".crt" file you might have to download the intermediate as a ".crt" as well and concatinate them together. If you got the SSL certificate as a ".pem" from the issuer, it might allready have the intermediate inside it. If you tell a little more about your server set-up, we might be able to give you some more precise details. |
|
Did you get any result scanning with 443? It is possible that the same certificate is used for other ports as well. |
|
than you both for replies. infrastructure is very simple:
@pavelsbubens - 443 scans ok, its apache. just ssllabs dont support other port scans. sslshopper.com says all intermediates are in places. |
|
You do not need another domain name or any proxy/balancer. And you do not need to install any SSL certificates on Tomcat at all, unless your Tomcat is available directly on the Internet at port 8443. Since you already have Apache running SSL/TLS at port 443 you could let Apache handle all the HTTPS and use "ProxyPass" feature in Apache to pass all the "oxalis" traffic to Tomcat. Like this setup : http://pwu-developer.blogspot.no/2011/04/securing-tomcat-with-apache-web-server.html Installing the SSL cert and the chain certificates (intermediates) on Tomcat is actually a little tricky, but if you really need to there are some troubleshooting in the Tomcat docs : |
|
hmz. are there any new changes in 3.0.0+ that limits usage of other ports? so I at least downgrade until I find the way out. can someone tell the cause of the problem? |
|
What problem did you actually have? This issue #173 is about sending AS2 to AccessPoints that does not have correctly configured SSL certificates. You cannot downgrade away from that issue, the AS2 require the receiving AccessPoint to have a correctly configured SSL certificates. If you managed to run the analyzer on you Tomcat port 8443 without any warnings or errors you should be fine. If you post you accesspoint URL here I could try to send you a test message to verify? |
|
i get the PKIX error, same one as in issues header. my AP is atworklogin.com:8443 (https://atworklogin.com:8443/oxalis/), you can also test send invoice to org 989272047. |
|
Your issue is actually a bit different than the one described in this issue. You use GoDaddy with SHA256 which have a known issue with Java. The problem and the fix can be found in issue #168 . Basically you need to rekey your cert with SHA1, it is free and can be done at GoDaddy site. |
|
can you check again now? changed from SHA2 to SHA1.. |
|
Now it seems to be ok (sendt at 12:49) |
|
great, thanks. what certs are used by others to be on the safe side? |
|
I'm not quite sure, but there haven't been any issues lately (except that GoDaddy issue) - so what's running on accesspoints today seems to be pretty safe choices. ELMA has a page listing accesspoint url's, which can be opened in a browser to look at the SSL cert : https://smp.difi.no/endpoint |
When turning on AS2 we got this error when sending:
Sending failed Unexpected error during execution of http POST to https://ap.unimicro.no/oxalis/as2: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The same code runned nicely with START.
Oxalis 3.0.0
The text was updated successfully, but these errors were encountered: