My Oracle Support Banner

Intermittent "No Trusted Certifcates" or "host name '<hostname>' in request does not match server's certificate subject" Error In Oracle API Gateway (Doc ID 1922652.1)

Last updated on FEBRUARY 03, 2017

Applies to:

Oracle API Gateway - Version 11.1.2 and later
Information in this document applies to any platform.

Symptoms

When making an SSL call in the Gateway, the Connection Filter fails intermittently.  The issue concerns an SSL session that has not been correctly initialized.
An SSL connection is attempted, then immediately was retried when that fails.  Both attempts failed.  Three seconds later, a connection to the end point was attempted and this time it worked as expected.

These failures can happen at any time but are most common in the period after a restart of the Gateway.
It is not necessarily the first request that fails after a restart, it might be the second, the fifth, or any subsequent attempt.

The trace can have something similar to this:

DEBUG 28/Jan/2016:10:08:27.643 [e206d700] Connection to: <hostname>:443 acquired, connection count: 1
DEBUG 28/Jan/2016:10:08:27.643 [e206d700] poll() with max timeout 30000
DEBUG 28/Jan/2016:10:08:27.644 [e206d700] poll(): revents = 4
DEBUG 28/Jan/2016:10:08:27.644 [e206d700] connected to xx.xx.xx.xx:443
DEBUG 28/Jan/2016:10:08:27.644 [e206d700] new connection 0x7fecb032b810, settings source service-wide defaults (allow 1.1=no, idleTimeout=1200000, activeTimeout=1200000, maxConnections=128, contentLength: req=no, res=no)
DEBUG 28/Jan/2016:10:08:27.644 [e206d700] push SSL protocol on to connection
DEBUG 28/Jan/2016:10:08:27.646 [e206d700] subject alt names in { subject: /C=<country>/ST=<state>/L=<city>/O=<oragnization>/CN=<common name> }:
DEBUG 28/Jan/2016:10:08:27.647 [e206d700] *.xx.xx.
DEBUG 28/Jan/2016:10:08:27.647 [e206d700] xx.xx.
ERROR 28/Jan/2016:10:08:27.647 [e206d700] host name '<hostname>' in request does not match server's certificate subject { subject: /C=<country>/ST=<state>/L=<city>/O=<organization>/CN=<common name> }.
DEBUG 28/Jan/2016:10:08:27.647 [e206d700] cert verifier for require presented cert to match destination server's hostname: 0
DEBUG 28/Jan/2016:10:08:27.647 [e206d700] cert verifier for require CA cert from chain to be in context: 0
ERROR 28/Jan/2016:10:08:27.647 [e206d700] [SSL alert write 0x22a, 0x1131]: bad certificate [fatal] { subject: /C=<country>/ST=<state>/L=<city>/O=<organization>/CN=<common name> }.
ERROR 28/Jan/2016:10:08:27.647 [e206d700] [SSL_connect, 0x1131]: error - certificate rejected { subject: /C=<country>/ST=<state>/L=<city>/O=<organization>/CN=<common name> }.
DEBUG 28/Jan/2016:10:08:27.647 [e206d700] Decrementing connection count for connection: <hostname>:443, connections count: 1
DEBUG 28/Jan/2016:10:08:27.647 [e206d700] destroying connection 0x7fecb032b810 with transaction (nil)
DEBUG 28/Jan/2016:10:08:27.647 [e206d700] delete connection 0x7fecb032b810
ERROR 28/Jan/2016:10:08:27.647 [e206d700] transient failure connecting to remote: SSL protocol error
DEBUG 28/Jan/2016:10:08:27.647 [e206d700] connection processor made 1 attempts to transact
DEBUG 28/Jan/2016:10:08:27.647 [e206d700] } = 0, filter [Connect to OES - Order App]

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.