Connect to Camunda SaaS but hit SSL Handshake error.

VivianXiaRbc · July 18, 2024, 8:35pm

I have created Camunda SaaS cluster, then followed Camunda academy course to create a connection Java class.

camunda8.PaymentApplication' ;8bffdcf0-07c2-42ca-b8a0-91731126e63cio.camunda.zeebe.client.api.command.ClientStatusException: io exception
Channel Pipeline: [SslHandler#0, ProtocolNegotiators$ClientTlsHandler#0, WriteBufferingAndExceptionHandler#0, DefaultChannelPipeline$TailContext#0]

I have tried to download camunda cert then add to java keystore, but still hit error. .
keytool -import -trustcacerts -cacerts -storepass changeit -noprompt -alias auth-camunda-io -file auth-camunda-io.crt

rohwerj · July 19, 2024, 5:46am

Hi @VivianXiaRbc

Have a look at this page about possible solutions for a SSL handshake failure:

In a project we had a lot of problems with handshake failures due to incompatible tls versions.
Maybe try adding e.g. something like -Dhttps.protocols=TLSv1.2 as a java argument to your application.

VivianXiaRbc · July 19, 2024, 10:31pm

I have added -Dhttps.protocols=TLSv1.2 java argument but still the same error.
I downloaded certificate from zeebe address *****.ont-1.zeebe.camunda.io:443, added to java keystore, but still hit the same error.

On local Modeler, when deploying a bpmn diagram to Camunda SaaS cluster, we also hit similar SSL error.

2024-07-19T04:56:46.929Z  WARN app:zeebe-api Custom SSL certificate appears to be not a root certificate
2024-07-19T04:56:47.209Z  ERROR app:zeebe-api connection check failed {
  parameters: {
    endpoint: {
      type: 'camundaCloud',
      clientId: '******',
      clientSecret: '******',
      clusterId: '******************',
      clusterRegion: 'ont-1'
    }
  }

Also, our company has a proxy server, which I defined in Windows environment variable.
HTTPS_PROXY = http://proxy.mycompany.com:8080

VivianXiaRbc · July 22, 2024, 6:28pm

I tried to run openssl command based on Camunda troubleshoot document.
I got below result. Anything that I can configure on my local?

C:\Program Files\Git\usr\bin>openssl s_client -alpn h2 -connect ont-1.zeebe.camunda.io:443 -servername ont-1.zeebe.camunda.io
CONNECTED(00000004)
write:errno=113
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 333 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Marek_Hlavacek · October 2, 2024, 9:59pm

Similar issue on my side

WARN app:zeebe-api Custom SSL certificate appears to be not a root certificate

Marek_Hlavacek · October 3, 2024, 3:58pm

My issue solved by reusing whole keystore from the colleague So obviously somehow the certificate, even i have downloaded him from server was bad.

Btw i had to create new “resources” folder inside of my MacOS folder. Putting flag.json to existing “Resources” folder was not working