Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

F5 API access from java certificate error

srinidhi12
Cirrus
Cirrus

‎22-Feb-2023 07:47

Hi All, I am accessing the F5 API from java, but I get the certificate error on the http request:

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

But I have downloaded the certificate from the F5 portal and imported in the local java keystore.

sudo keytool -importcert -alias f5_api domain -file f5_api_com.crt -keystore cacerts

Still i get the above error. Please let me know I am missing anything.Screenshot 2023-02-22 at 9.14.50 PM.png

 

Thanks!

0 Kudos
13 REPLIES 13

TimRiker
Cirrostratus
Cirrostratus

‎22-Feb-2023 11:11 - edited ‎22-Feb-2023 11:12

We have wildcard certs for our domains already installed on the F5s for traffic routing. We re-use those same certs for the device certs. All devices have the exact same wildcard cert installed. This means that hitting the UI gets the same publicly signed certificate as hitting traffic vips in that domain.

This bypasses the need to add certs to the clients, as the public certs are already trusted.

0 Kudos

srinidhi12
Cirrus
Cirrus
In response to TimRiker

‎22-Feb-2023 11:17

Hi @TimRiker Thanks for the reply, 

But I am not able to connect the management server (API request) using java. I can see it working if the http call goes through browser. But not through java. 

0 Kudos

TimRiker
Cirrostratus
Cirrostratus
In response to srinidhi12

‎22-Feb-2023 12:20

What cert are you using as a device cert? Is it a publicly signed cert? if not, it will need to be added to the java cert store. I recommend using a publicly signed wildcard cert for your domain if you have one already.

Chris_Thuys
Altocumulus
Altocumulus

‎22-Feb-2023 19:09

It looks like you may have imported the certificate into the trust store and not the issuer of the certificate into your trust store.
From the screenshot above it looks like The issuer may be different from the certificate.

srinidhi12
Cirrus
Cirrus

‎22-Feb-2023 22:10

@TimRiker @Chris_Thuys Thanks for the reply,

@TimRiker I have downloaded the SSL certificate and imported in my java keystore. Do I need to use the Device certificate as well?

@Chris_Thuys Also I am understanding your question, but can you help me with importing the issuer of the certificate. As I am confused in that process. Please let me know the steps if possible.

0 Kudos

Chris_Thuys
Altocumulus
Altocumulus
In response to srinidhi12

‎22-Feb-2023 23:12

Can you provide the details of the device certificate you have used?

It can be found under System  ››  Certificate Management : Device Certificate Management : Device Certificate

You should be able to find the issuer cert in the device certificcate chain which can be found here: System  ››  Certificate Management : Device Certificate Management : Device Certificate Chain

From there you can export it and then import to your JAVA CA repo.

 

srinidhi12
Cirrus
Cirrus
In response to Chris_Thuys

‎23-Feb-2023 01:49

I have downloaded the device certificate from the mentioned and imported inside the JAVA keystore. 

Still I get the same error.

Please find the device certificate Screenshot 2023-02-23 at 3.16.51 PM.png

 

I dont find anything under device certificate chain
Screenshot 2023-02-23 at 3.18.48 PM.png

0 Kudos

srinidhi12
Cirrus
Cirrus

‎23-Feb-2023 04:04

can anyone please let me know the steps to be configured to access the API from java with the SSL certificate installation in jvm. As I am confused with the steps or not sure if I am missing anything.

The steps I followed:

  • Download the f5_api_com.crt from certificate management->Traffic certificate management ->SSL certificate ->f5_api_com.crt
  • Import it to my jdk using the below command:
  • sudo keytool -importcert -alias f5_api domain -file f5_api_com.crt -keystore cacerts
  • certificate is added successfully.
  • Restarted my system

 

0 Kudos

Chris_Thuys
Altocumulus
Altocumulus

‎23-Feb-2023 17:30

Assuming you are actually trying to access the api on the F5 you have provided screen shots for then the certificate you require is the device  certificate not the certificate in  traffic certificate management.

Install the device certificate from System  ››  Certificate Management : Device Certificate Management : Device Certificate into your java Keystore to trust the self signed certificate used by the F5 device irtself.

 

0 Kudos

srinidhi12
Cirrus
Cirrus
In response to Chris_Thuys

‎25-Feb-2023 09:41

Thanks for the explanation, is there any specific alias name which I need to specify  in the command.

keytool -import -noprompt -trustcacerts -alias http://www.example.com -file "C:\Path\to\www.example.com.cer" -keystore cacerts

0 Kudos

srinidhi12
Cirrus
Cirrus
In response to Chris_Thuys

‎27-Feb-2023 03:05

And after importing I get the below error:

javax.net.ssl.SSLPeerUnverifiedException: Hostname 10.10.10.10 not verified:

here 10.10.10.10 is the F5 Management IP

0 Kudos

srinidhi12
Cirrus
Cirrus
In response to Chris_Thuys

‎27-Feb-2023 23:43

Hi,

I just found that I have changed the hostname from the cli  and that is not updated in the device certificate, which is giving the "hostname not verified error" Please let me know how to update the hostname in the device certificate.

0 Kudos

Chris_Thuys
Altocumulus
Altocumulus

‎28-Feb-2023 17:25

Try the following KB
https://my.f5.com/manage/s/article/K9114

0 Kudos
Copyright © 2023 Khoros, LLC