Re: HTTPAPI & revoked SSL cert

[Bradley Stone <bvstone@xxxxxxxxx>]

The apache server shouldn't have anything to do with HTTPAPI.

But, you may want to check:

1.  You're on V7R2 or higher and have all the latest PTFs.   If you're on
V7R1 or earlier, you may be running into the issue that the cipher used on
the server SSL cert isn't available on your system.  Only fix is to update
your OS version.

2.  You don't have any expired Certificates OR CAs in DCM.  If so, remove
them.  I've seen this cause issues even if the Cert of CA has NOTHING to do
with the application being used.  *shrug*

3.  Make sure you have either strict SSL turned off, or you've imported the
CAs used by the server cert.

4.  Hopefully the server certificate isn't expired.  I've seen that happen
to the best of them where they forget to renew (even with Google).

When errors just start happening like this, it's best to look at what has
changed.  Most likely the endpoint server updated their SSL certificate, or
it expired.

I'm surprised there isn't more information in the error provided other than
the cert was rejected.

Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #16 <https://www.bvstools.com/mailtool.html>: No external
"helper" PC system required. 100% IBM i native!

On Tue, Sep 18, 2018 at 9:37 AM Justin Taylor <JUSTIN@xxxxxxxxxxxxx> wrote:

> I have a CGI webservice that uses the HTTPAPI utility to make HTTPS calls
> to an outside vendor.  It makes a few hundred calls a day and has been in
> production for a couple of years.  Twice in the past week it's started
> throwing certificate errors and continued to do so until we bounced the
> Apache server.  I wasn't in the office when the issues occurred, so I'm
> limited on what data I have.
>
> I'm working on an automatic, and less drastic, work-around than bouncing
> Apache.  My RPG CGI program runs in a named activation group and doesn't
> set on LR.  The HTTPAPI call is in a service program that runs in *CALLER.
> I'm wondering if it would help to run my service program in a named
> activation group.  That way, when an error occurs the calling RPG could
> reclaim that named activation group.  Of course, I don't know if that would
> help.  I'm just speculating that something within HTTPAPI is staying in
> memory.
>
> Any thoughts?
>
>
> From Library : LIBHTTP
> From Program : HTTPAPIR4
> From Line : *STMT
> To Library : LIBHTTP
> To Program : HTTPAPIR4
> To Line : *STMT
> From user . . . . . . . . . :   USER
> From module . . . . . . . . :   HTTPUTILR4
> From procedure  . . . . . . :   UTIL_DIAG
> Statement . . . . . . . . . :   4810
> To module . . . . . . . . . :   COMMSSLR4
> To procedure  . . . . . . . :   SSL_ERROR
> Statement . . . . . . . . . :   7142
> Thread  . . . . :   00000002
>
> (GSKit) Certificate was rejected by the application
> supplied exit program or certificate being validated by SSL processing was
> revoked.
> Cause . . . . . :   No additional online help information is available.
> --
> This is the RPG programming on the IBM i (AS/400 and iSeries) (RPG400-L)
> mailing list
> To post a message email: RPG400-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
> or email: RPG400-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at https://archive.midrange.com/rpg400-l.
>
> Please contact support@xxxxxxxxxxxx for any subscription related
> questions.
>
> Help support midrange.com by shopping at amazon.com with our affiliate
> link: http://amzn.to/2dEadiD