Problem

A docker API Manager instance exposing application for a Microsoft Azure request cannot provide the content or response due a ssl errors.

The certificates stored on the API Manager Traffic port are not presented to the requester (Azure); the verification command shows:

verify error:num=20:unable to get local issuer certificate

verify error:num=21:unable to verify the first certificate

The local verification of API Manager Traffic certificates with openssl shows incorrectly only 1certificate present - server and neither CA, nor intermediate.

---

^C

[server1@user ~]$ openssl s_client -showcerts -connect x.x.x.x:1234

CONNECTED(00000003)

depth=0 C = CH, ST = TOWN, L = TOWN, O = COMPANY SA, CN = SERVER.COM

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 C = CH, ST = TOWN, L = TOWN, O = COMPANY SA, CN = SERVER.COM

verify error:num=21:unable to verify the first certificate

verify return:1

---

Certificate chain

0 s:/C=CH/ST=TOWN/L=TOWN/O=COMPANY SA/CN=SERVER.COM

i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018

-----BEGIN CERTIFICATE-----

MIIF3jCCBMagAwIBAgIMORxQQUMk+94kAQppMA0GCSqGSIb3DQEBCwUAMFAxCzAJ

.................

.................

Ot1q2ZxF/ufC+0adQiacloHK

-----END CERTIFICATE-----

---

Server certificate

subject=/C=CH/ST=TOWN/L=TOWN/O=COMPANY SA/CN=SERVER.COM

issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018

---

No client certificate CA names sent

Peer signing digest: SHA512

Server Temp Key: ECDH, P-256, 256 bits

---

SSL handshake has read 2165 bytes and written 415 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol : TLSv1.2

Cipher : ECDHE-RSA-AES256-GCM-SHA384

Session-ID: 9025B00F617A2D008...............

Session-ID-ctx:

Master-Key: 291BC525E363FBA9CDC51C3CF9FE75.............

Key-Arg : None

Krb5 Principal: None

PSK identity: None

PSK identity hint: None

TLS session ticket lifetime hint: 300 (seconds)

TLS session ticket:

0000 - 40 26 88 63 58 db a8 bd-3e bf 02 5a c5 ee fc f8 @&.cX...>..Z....

...............

...............

0090 - a2 27 73 9b a5 cc 15 c1-ca 49 a9 01 47 9d f2 0a .'s......I..G...

Start Time: 1583921299

Timeout : 300 (sec)

Verify return code: 21 (unable to verify the first certificate)

---

closed

Resolution

The customer has used a Policy Studio deployment as well as a DEVOPS team who automate the deployment.

The PS SP level was sp10/753 whereas the docker instance run sp11/753

The PS has been update, started with '- clean' tag;

Certificates for the API Manager Traffic port were inspected visually;

The API Manager configuration deployed

Results:

The local verification of API Manager Traffic certificates shows correctly 3 certificates (CA, intermediate, server)

The customer requests from Microsoft Azure toward API Manager application using 2 way ssl have passed well now.

The customer has been advised to indicate DEVOPS team to update their deployment tools to the docker instance SP level (in order to be aligned when deploy).