Question

Debug SSL Traffic in Mendix Cloud

0

In the Mendix Cloud we are running into an issue with one of our webservices that requires us to use a client certificate. Eventhough we added the certificate to the network tab we still see the following error: Caused by: com.mendix.systemwideinterfaces.MendixRuntimeException: com.sun.xml.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.mendix.util.classloading.Runner.doRunUsingClassLoaderOf(Runner.java:40) Caused by: com.sun.xml.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:132) at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:256) at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:184) at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:137) at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:641) at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:600) at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:585) at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:482) Is there a way to debug this propperly such as increasing SSL logging?

asked 2017-10-11

Pieter van de Braak

1 answers

Pieter van de Braak · Answer 1 · 2017-10-12

After some trial and error attempts we figured that the server was not hosting the complete chain which caused this issue.

One other intresting thing we noticed is that when using self signed client certificates, it seems that you need to have this certificate both as ca and as client certificate because otherwise Mendix won't send the client certificate to the server resulting in an error.