Peer not authenticated error after upgrading to Mendix 9 – REST call to external system

0
Hi everyone,I’m facing a “peer not authenticated” error after upgrading an application from a lower Mendix version to Mendix 9.The issue occurs when the application tries to connect to an external system via a REST service over HTTPS.Here’s what we’ve checked and done so far:The application is hosted on Windows Server with IIS installed on the same machine.SSL is configured, and HTTPS bindings are in place.I verified the certificate being served using:openssl s_clientkeytool -printcertI checked IIS bindings and reviewed HTTP.SYS bindings using:netsh http show sslcertI imported the root and intermediate certificates into the Windows certificate store on the server.The certificate itself is valid and not expired.Despite this, Mendix 9 throws the “peer not authenticated” error when making the outbound REST call.Questions:Does Mendix 9 rely solely on the Java truststore instead of the Windows certificate store for outbound HTTPS calls?Could this be related to missing intermediate certificates in the Java cacerts truststore?Is there anything that changed in Mendix 9 regarding SSL validation that we should be aware of?Any guidance or similar experiences would be greatly appreciated.Thanks in advance.
asked
1 answers
0

Yeah Mendix doesnt use the Windows certificate store at all for outbound calls. It uses the Java truststore (cacerts). So importing certs into the Windows store wont help for the REST call Mendix is making.


You need to import the full chain (root CA and any intermediates) into the cacerts file of the JRE that Mendix is using. Something like:


1. Find which JRE your Mendix runtime is using (check the service config or runtime settings).

2. Run keytool -import -alias somealias -keystore "path/to/jre/lib/security/cacerts" -file yourcert.cer with the default password "changeit".

3. Do this for both the root and intermediate certs if they are missing.

4. Restart the Mendix runtime.


This is almost certainly the issue since you said you only imported into the Windows cert store. Also worth noting that Mendix 9 ships with a newer JRE (AdoptOpenJDK 11) compared to older versions, and the default cacerts bundle might be slightly different from what you had before. So certs that happened to be trusted in the old JRE might not be present in the new one.


You can verify whats in the truststore with keytool -list -keystore cacerts and grep for the CA you need.


https://docs.mendix.com/developerportal/deploy/certificates/

answered