Camunda - Getting certificate error while calling an https REST service through connector

Modeler
#1

I am rying to use connector (http-connector) to call an https REST webservice from connector.
I get certificate error as below:

PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Do I need to configure somewhere so that connector is able to call an https REST webservice.

When I use Java delegate & call the same service using spring RestTemplate, it works fine; not sure why connector fails to call https service.

I have configured a connector from camunda modeler & connector configuration in generated BPMN xml is like this.

camunda:connector
camunda:connectorIdhttp-connector</camunda:connectorId>
camunda:inputOutput
<camunda:inputParameter name=“url”>
https://www.my-dummy-service.com/my-api
</camunda:inputParameter>
<camunda:inputParameter name=“payload”>
[CDATA[execution.getVariable(‘myRequest’)]]
</camunda:inputParameter>
<camunda:inputParameter name=“method”>
POST
</camunda:inputParameter>
<camunda:inputParameter name=“headers”>


application/json


</camunda:inputParameter>
<camunda:outputParameter name=“isHoliday”>
<camunda:script scriptFormat=“Javascript” resource=“parseMyResponse.js” />
</camunda:outputParameter>
</camunda:inputOutput>
</camunda:connector>

HTTPS connector PKIX
#2

This is barely readable, please escape code blocks with three backticks ```
like this

code
#3

Here is the BPMN xml with escape characters as suggested by you

<camunda:connector>
<camunda:connectorId>http-connector</camunda:connectorId>
<camunda:inputOutput>
 <camunda:inputParameter name=“url”>
https://www.my-dummy-service.com/my-api
 </camunda:inputParameter>
 <camunda:inputParameter name=“payload”>
      [CDATA[execution.getVariable(‘myRequest’)]]
 </camunda:inputParameter>
 <camunda:inputParameter name=“method”>
      POST
 </camunda:inputParameter>
 <camunda:inputParameter name=“headers”>
     application/json
</camunda:inputParameter>
 <camunda:outputParameter name=“isHoliday”>
 <camunda:script scriptFormat=“Javascript” resource=“parseMyResponse.js” />
 </camunda:outputParameter>
 </camunda:inputOutput>
 </camunda:connector>
Https authentication through Connector
#4

Hi @dg_camunda_learner,

when you execute call to a HTTPS endpoint, you need to accept the certificate behind it.
A solution could be to change the configuration of the HTTP Connector and to accept all certificates in this configuration.

For that, you can use the attached HttpConnectorConfiguration class [1]. In our documentation, you can find how you use the custom http connector configuration.

[1]: HttpConnectorConfiguration.txt (2.2 KB)

Cheers
kristin

1 Like
#5

Hi,
This looks like a JVM certificate problem to me… Is this happening in a dev/test environment where you are using self signed certificates? If so, you can either import your own certificate into the JVM certificate store, or from memory there is a setting to disable certificate verification in the http library…

regards

Rob

#6

Hi,
I am new to camunda and have a requirement to call a HTTPS endpoint. I am getting the error as below:

SEVERE [http-nio-8080-exec-4] org.camunda.commons.logging.BaseLogger.logError ENGINE-16004 Exception while closing command context: HTCL-02007 Unable to execute HTTP request
org.camunda.connect.ConnectorRequestException: HTCL-02007 Unable to execute HTTP request
at org.camunda.connect.httpclient.impl.HttpConnectorLogger.unableToExecuteRequest(HttpConnectorLogger.java:48)
at org.camunda.connect.httpclient.impl.AbstractHttpConnector.execute(AbstractHttpConnector.java:72)
at org.camunda.connect.httpclient.impl.AbstractHttpConnector.execute(AbstractHttpConnector.java:38)
at org.camunda.connect.impl.AbstractConnectorRequest.execute(AbstractConnectorRequest.java:42)
at org.camunda.connect.plugin.impl.ServiceTaskConnectorActivityBehavior$1.call(ServiceTaskConnectorActivityBehavior.java:57)
at org.camunda.connect.plugin.impl.ServiceTaskConnectorActivityBehavior$1.call(ServiceTaskConnectorActivityBehavior.java:51)
at org.camunda.bpm.engine.impl.bpmn.behavior.AbstractBpmnActivityBehavior.executeWithErrorPropagation(AbstractBpmnActivityBehavior.java:108)
…
…
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at connectjar.org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:275)
at connectjar.org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:254)
at connectjar.org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:117)
at connectjar.org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:314)
at connectjar.org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:363)
at connectjar.org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:219)
at connectjar.org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195)
at connectjar.org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86)
at connectjar.org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108)
at connectjar.org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:186)
at connectjar.org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at connectjar.org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)
at connectjar.org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
at org.camunda.connect.httpclient.impl.HttpRequestInvocation.invokeTarget(HttpRequestInvocation.java:35)
at org.camunda.connect.impl.AbstractRequestInvocation.proceed(AbstractRequestInvocation.java:60)
at org.camunda.connect.httpclient.impl.AbstractHttpConnector.execute(AbstractHttpConnector.java:70)
… 122 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)

I have done the following steps. Please advise if anyone has any idea.

  1. In bpm file
    camunda:connector
    camunda:inputOutput
    <camunda:inputParameter name=“url”>https://<ACTUAL_SERVICE_ENDPOINT></camunda:inputParameter>
    <camunda:inputParameter name=“method”>POST</camunda:inputParameter>
    …
    …
  2. Created a custom connectorconfigurator file named org.camunda.connect.spi.ConnectorConfigurator. It has the following content:

package org.camunda.connect.example;

import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;

import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.camunda.connect.httpclient.HttpConnector;
import org.camunda.connect.httpclient.impl.AbstractHttpConnector;
import org.camunda.connect.spi.ConnectorConfigurator;

public class HttpConnectorConfigurator implements ConnectorConfigurator {

public Class getConnectorClass() {
return HttpConnector.class;
}

public void configure(HttpConnector connector) {

TrustManager[] trustAllCerts = new TrustManager[]{
    new X509TrustManager() {
        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }

        public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException {
            return;
        }

        public void checkClientTrusted(X509Certificate[] certs, String authType) throws CertificateException {
            return;
        }
    }
};

SSLContext sc = null;
try {
	
  sc = SSLContext.getInstance("SSL");
  sc.init(null, trustAllCerts, new SecureRandom());
} catch (Exception e) {
  throw new RuntimeException("Could not change SSL TrustManager to accept arbitray certificates", e);
}

HostnameVerifier hv = new HostnameVerifier() {
  public boolean verify(String urlHostName, SSLSession session) {
 
      if (!urlHostName.equalsIgnoreCase(session.getPeerHost())) {
          System.out.println("Warning: URL host '" + urlHostName + "' is different to SSLSession host '" + session.getPeerHost() + "'.");
      }
      return true;
  }
};

CloseableHttpClient client = HttpClients.custom()
  .setSSLContext(sc)
  .setSSLHostnameVerifier(hv)
  .build();
((AbstractHttpConnector) connector).setHttpClient(client);

}

}

  1. Put this file inside \webapps\engine-rest\WEB-INF\classes\META-INF\services