Hello,

Have some odd issues with my TLS config.

This is 3.0.1 upgraded to 3.5 on Linux.

I can login to IG 3.5 without any issues.

OSP 6.3.1 is on the same server.
Tomcat is 9.0.12
Java is 1.8.0_181-b02 from Azul Systems, Inc.

But when I go to one of my identity/application sources and click on
Test connection I get this message:

Unable to connect to your server: Failed to parse result set for rest
call to https://ig1.mydomain.com:9443/daas/rest/service from
DaasExecutorService service.

After activating debug logging for SSL I can see that it complains about
"revocation status" in catalina.out

javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: Could not determine
revocation status

I've added this to setenv.sh but it didn't help:
-Dcom.sun.net.ssl.checkRevocation=false

I'm using Let's Encrypt wildcard certificates.

I see this in the catalina.2019-01-10.log

[SEVERE] 2019-01-10 18:24:11
com.netiq.iac.server.common.rest.RestCallExecutor executePutRestCall -
[IG-SERVER] Failed to connect. URI:
https://ig1.mydomain.com:9443/daas/rest/service, rest service id:
dc_serveraas. Please verify that rest server is reachable.
[SEVERE] 2019-01-10 18:24:11
com.netiq.iac.server.common.rest.RestCallExecutor executeDeleteRestCall
- [IG-SERVER] Failed to connect. URI:
https://ig1.mydomain.com:9443/daas/r...782-gromitid-2,
rest service id: dc_serveraas. Please verify that rest server is
reachable.
[SEVERE] 2019-01-10 18:24:11
com.netiq.iac.persistence.dcs.dce.daas.DaaSService testConnection -
[IG-SERVER] Failed to connect. URI:
https://ig1.mydomain.com:9443/daas/r...782-gromitid-2,
rest service id: dc_serveraas. Please verify that rest server is
reachable.
[SEVERE] 2019-01-10 18:24:11 com.netiq.iac.server.rest.ConnectionService
testConnection - [IG-SERVER] Test Connection error: Failed to parse
result set for rest call to
https://ig1.mydomain.com:9443/daas/rest/service from DaasExecutorService
service.

Any tips?

Thanks
-alekz

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.