alex-therapeutics / diga-api-client

Production-ready java library for DiGA (Digital Health Application) manufacturers to integrate with DiGA API endpoints for code validation and billing.
https://github.com/alex-therapeutics/diga-api-client
Apache License 2.0
32 stars 13 forks source link

sendTestCodeValidationRequest results in Http request failed #109

Closed yvesonline closed 1 year ago

yvesonline commented 1 year ago

Problem

I'm trying to use sendTestCodeValidationRequest but it results in a ERROR com.alextherapeutics.diga.implementation.DigaOkHttpClient - Http request failed with javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca.

I'm initialising the client as described but when I try to send a test code validation request like this:

DigaCodeValidationResponse testCodeValidationResponse = null;
try {
  testCodeValidationResponse = apiClient.sendTestCodeValidationRequest(
    DigaApiTestCode.VALID, "BY"
  );
} catch (DigaXmlWriterException e) {
  e.printStackTrace();
}
if (testCodeValidationResponse != null) {
  System.out.println(testCodeValidationResponse.getHttpStatusCode());
  System.out.println(testCodeValidationResponse.toString());
}

I've got the latest mappings.xml from https://kkv.gkv-diga.de/ and my key store includes the latest annahme-rsa4096.key but the unknown_ca somehow suggests something is wrong with my SSL setup.

I'm a bit lost and out of pointers how to continue debugging, it's probably something very simple.

Any ideas?

I receive the following error, and status code and response in System.out.println are empty:

Full log ```bash 18:27:34.193 [main] WARN nl.altindag.ssl.util.KeyStoreUtils - No system KeyStores available for [linux] 18:27:35.012 [main] DEBUG nl.altindag.ssl.trustmanager.CompositeX509ExtendedTrustManager - Received the following server certificate: [CN=*.bitmarck-daten.de] 18:27:35.152 [main] ERROR com.alextherapeutics.diga.implementation.DigaOkHttpClient - Http request failed javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:358) at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:204) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1505) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1420) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:379) at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337) at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209) at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226) at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106) at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74) at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255) at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201) at okhttp3.internal.connection.RealCall.execute(RealCall.kt:154) at com.alextherapeutics.diga.implementation.DigaOkHttpClient.post(DigaOkHttpClient.java:69) at com.alextherapeutics.diga.DigaApiClient.performCodeValidation(DigaApiClient.java:225) at com.alextherapeutics.diga.DigaApiClient.sendTestCodeValidationRequest(DigaApiClient.java:152) at io.unahealth.digaapi.DigaapiApplication.main(DigaapiApplication.java:77) 18:27:35.154 [main] ERROR com.alextherapeutics.diga.DigaApiClient - Failed to validate DiGA code 77AAAAAAAAAAAAAX com.alextherapeutics.diga.DigaHttpClientException: Diga Http Client error at com.alextherapeutics.diga.implementation.DigaOkHttpClient.post(DigaOkHttpClient.java:79) at com.alextherapeutics.diga.DigaApiClient.performCodeValidation(DigaApiClient.java:225) at com.alextherapeutics.diga.DigaApiClient.sendTestCodeValidationRequest(DigaApiClient.java:152) at io.unahealth.digaapi.DigaapiApplication.main(DigaapiApplication.java:77) Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:358) at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:204) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1505) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1420) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:379) at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337) at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209) at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226) at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106) at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74) at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255) at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201) at okhttp3.internal.connection.RealCall.execute(RealCall.kt:154) at com.alextherapeutics.diga.implementation.DigaOkHttpClient.post(DigaOkHttpClient.java:69) ... 3 common frames omitted 0 DigaCodeValidationResponse(validatedDigaCode=null, validatedDigaveid=null, dayOfServiceProvision=null) 18:27:35.463 [restartedMain] WARN nl.altindag.ssl.util.KeyStoreUtils - No system KeyStores available for [linux] 18:27:35.745 [restartedMain] DEBUG nl.altindag.ssl.trustmanager.CompositeX509ExtendedTrustManager - Received the following server certificate: [CN=*.bitmarck-daten.de] 18:27:35.865 [restartedMain] ERROR com.alextherapeutics.diga.implementation.DigaOkHttpClient - Http request failed java.net.SocketException: Broken pipe at java.base/sun.nio.ch.NioSocketImpl.implWrite(NioSocketImpl.java:420) at java.base/sun.nio.ch.NioSocketImpl.write(NioSocketImpl.java:440) at java.base/sun.nio.ch.NioSocketImpl$2.write(NioSocketImpl.java:826) at java.base/java.net.Socket$SocketOutputStream.write(Socket.java:1035) at java.base/sun.security.ssl.SSLSocketOutputRecord.flush(SSLSocketOutputRecord.java:271) at java.base/sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:89) at java.base/sun.security.ssl.CertificateVerify$T12CertificateVerifyProducer.produce(CertificateVerify.java:773) at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:440) at java.base/sun.security.ssl.ServerHelloDone$ServerHelloDoneConsumer.consume(ServerHelloDone.java:182) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1505) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1420) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:379) at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337) at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209) at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226) at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106) at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74) at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255) at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201) at okhttp3.internal.connection.RealCall.execute(RealCall.kt:154) at com.alextherapeutics.diga.implementation.DigaOkHttpClient.post(DigaOkHttpClient.java:69) at com.alextherapeutics.diga.DigaApiClient.performCodeValidation(DigaApiClient.java:225) at com.alextherapeutics.diga.DigaApiClient.sendTestCodeValidationRequest(DigaApiClient.java:152) at io.unahealth.digaapi.DigaapiApplication.main(DigaapiApplication.java:77) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.springframework.boot.devtools.restart.RestartLauncher.run(RestartLauncher.java:49) 18:27:35.866 [restartedMain] ERROR com.alextherapeutics.diga.DigaApiClient - Failed to validate DiGA code 77AAAAAAAAAAAAAX com.alextherapeutics.diga.DigaHttpClientException: Diga Http Client error at com.alextherapeutics.diga.implementation.DigaOkHttpClient.post(DigaOkHttpClient.java:79) at com.alextherapeutics.diga.DigaApiClient.performCodeValidation(DigaApiClient.java:225) at com.alextherapeutics.diga.DigaApiClient.sendTestCodeValidationRequest(DigaApiClient.java:152) at io.unahealth.digaapi.DigaapiApplication.main(DigaapiApplication.java:77) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.springframework.boot.devtools.restart.RestartLauncher.run(RestartLauncher.java:49) Caused by: java.net.SocketException: Broken pipe at java.base/sun.nio.ch.NioSocketImpl.implWrite(NioSocketImpl.java:420) at java.base/sun.nio.ch.NioSocketImpl.write(NioSocketImpl.java:440) at java.base/sun.nio.ch.NioSocketImpl$2.write(NioSocketImpl.java:826) at java.base/java.net.Socket$SocketOutputStream.write(Socket.java:1035) at java.base/sun.security.ssl.SSLSocketOutputRecord.flush(SSLSocketOutputRecord.java:271) at java.base/sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:89) at java.base/sun.security.ssl.CertificateVerify$T12CertificateVerifyProducer.produce(CertificateVerify.java:773) at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:440) at java.base/sun.security.ssl.ServerHelloDone$ServerHelloDoneConsumer.consume(ServerHelloDone.java:182) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1505) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1420) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:379) at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337) at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209) at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226) at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106) at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74) at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255) at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201) at okhttp3.internal.connection.RealCall.execute(RealCall.kt:154) at com.alextherapeutics.diga.implementation.DigaOkHttpClient.post(DigaOkHttpClient.java:69) ... 8 common frames omitted 0 DigaCodeValidationResponse(validatedDigaCode=null, validatedDigaveid=null, dayOfServiceProvision=null) ```
fongie commented 1 year ago

Hi! It does indeed look like your SSL/certificates setup is not working, and not like an issue with the client itself. What are the nl.altindag.ssl.util. packages? I don't think they're in this project, which indicates to me that you're using some other method than the one described in the README.

That is totally fine, but I recommend re-reading the prerequisites here: https://github.com/alex-therapeutics/diga-api-client#prerequisites and to try to generate the certificates file with the secon-keystore-generator first even if you want to use your own solution in the long run. If the generator works, you know what to shoot for with your own implementation/keystore builders and you can also check out the source code for how the keystore is built in that project to have an idea of how to build your own.

Getting the certificates to work is definately the most difficult and annoying part of getting this to work, but once you do it's usually smooth sailing so don't give up! And thanks for trying out this project :)

yvesonline commented 1 year ago

Thanks @fongie !

This is odd, I did use the secon-keystore-generator exactly the way as described here. Is there any way to check that the public certificates were added correctly?

For the mappings, I reckon the changes described here are not necessary anymore with the v3 issue? I'm using the 1.2.5-v3-xml tag.

Re the nl.altindag.ssl.util packages, I have no clue, I was expecting those to be from this package 😅 I'll need to investigate.

UPDATE: @fongie , I see that nl.altindag.ssl is from sslcontext-kickstart which is mentioned as a dependency in pom.xml, is this not expected?

UPDATE 2: Just inspected the keystore and that looks ok too:

$ keytool -list -v -keystore keystore.p12 Enter keystore password:  
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 62 entries

Alias name: ik100395611
[...]

There are also entries for BITMARCK Service GmbH which I assume is responsible for [CN=*.bitmarck-daten.de].

UPDATE 3: What I realise is that my public key is not in there under the IK... alias, just under the private. Should my public key also be in the keystore under an alias IK<my IK number>?

fongie commented 1 year ago

Hi! Sorry for the altindag package thing, I thought I checked my dependencies and couldnt find that, but it makes sense that it's from the ssl dependency.

It's true that you don't need to make the xml schema changes, I just tried with the latest mapping file and it works for me out of the box.

As for the certificates, I just inspected mine. We do not have our public key in there, but I'm suspicious of this log message of yours No system KeyStores available for [linux]. What is your "alias" for your private key in your keystore? Mine is

Aliasnamn: private
Skapat den: 19 jan. 2022

(for some reason keytool localizes the text, but it says "Alias name")

If your alias is linux then that might make sense as the diga client expects it to be called private. The alias name should be named "private" automatically if you used the command suggested in the keystore generator readme, but could you double check?

Edit: Actually, nevermind, we shouldnt be using the system keystore anyway.

fongie commented 1 year ago

Looking into it some more @yvesonline , I think a good place to start is to check how the ssl context is loaded for you.

If you put a debug breakpoint on DigaOkHttpClient#133 (client = ...) and run your code, you can inspect the sslFactory variable.

sslFactory->sslMaterial->keyManager should have:

How does that look for you?

yvesonline commented 1 year ago

Thanks @fongie .

This all looks OK to me, see the following screenshot: image

I replayed the keystore creation and saw that some certificates were skipped, maybe that's an issue?

I do the following:

$ java -jar secon-keystore-generator-0.1.1.jar -k annahme-rsa4096.key -s keystore2.p12 -p 123456789.prv.key.pem -c 12345678.p7c --debug
Enter password for key store: 
No IK in certificate subject: O=Datenaustausch im Gesundheits- und Sozialwesen,C=DE
No IK in certificate subject: O=ITSG TrustCenter fuer sonstige Leistungserbringer,C=DE
No IK in certificate subject: O=ITSG TrustCenter fuer sonstige Leistungserbringer,C=DE
No IK in certificate subject: O=Datenaustausch im Gesundheits- und Sozialwesen,C=DE
No IK in certificate subject: O=ITSG TrustCenter fuer sonstige Leistungserbringer,C=DE
Warning: Unable to load 5 certificate(s). 
Add certificate for IK108310400 to key store
[...]

That log is coming from here, is this expected?

fongie commented 1 year ago

I think it all looks correct. When did you receive your private certificate? Sometimes in the past it has taken ITSG and the insurances a while to update their keystores, as discussed in this issue #64

If you received it recently, I would wait a bit and try again in a week or so. If not, then I'm afraid I'm short on ideas right now on what it could be :/

yvesonline commented 1 year ago

Oh then I better hold my horses, we've received the certificate just last Wednesday!

I'll close the issue for now and hopefully when I test again next week it'll be solved.

Thanks for all the help!

yvesonline commented 1 year ago

Hi @fongie ! It's been more than two weeks since our certificates have been issued and unfortunately we're still seeing this error. Any idea how we can further debug this?

yvesonline commented 1 year ago

@fongie I've tried this on the command line but I'm hitting the same issue here, always getting an unknown ca error.

Just to sense check, is the following correct?

My XML file looks like this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Pruefung_Freischaltcode xmlns="http://www.gkv-datenaustausch.de/XML-Schema/EDFC0_Pruefung/3.0" version="003.000.000" gueltigab="2022-08-25" verfahrenskennung="TDFC0" nachrichtentyp="ANF" absender="580200104" empfaenger="108035576">
    <Anfrage>
        <IK_DiGA_Hersteller>580200104</IK_DiGA_Hersteller>
        <IK_Krankenkasse>108035576</IK_Krankenkasse>
        <DiGAID>12345</DiGAID>
        <Freischaltcode>77AAAAAAAAAAAAAX</Freischaltcode>
    </Anfrage>
</Pruefung_Freischaltcode>

And then I send this using HTTPie like this:

cat temp.xml | http --ssl=tls1.2 --cert=pub.certs.pem --cert-key=prv.key.pem --verbose POST https://diga.bitmarck-daten.de

Where:

This comes back with: http: error: SSLError: HTTPSConnectionPool(host='diga.bitmarck-daten.de', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:1129)'))) while doing a POST request to URL: https://diga.bitmarck-daten.de/

Or do I need to provide the CA certs somehow? If yes, in which format? Anything else I'm missing? Trying to isolate the problem at the moment.

fongie commented 1 year ago

Hi @yvesonline ! I tried httpie with my keys:

http --cert=cert.pem --ssl=tls1.2 --cert-key=MY_IK.prv.key.pem -f POST https://diga.bitmarck-daten.de/diga

This returns "Bad request" because it also needs form data and the encrypted XML request, but it passes the ssl handshake which is what you want.

where: cert.pem is the file you get if you run openssl pkcs7 -in test.p7c -inform der -print_certs -out cert.pem on the p7c you recieved from ITSG MY_IK.prv.key.pem is your private key

If this still fails for you, then there's something wrong with your certificate or key. If it passes with Bad Request, then you should try the secon-keystore-generator and the library again :)

yvesonline commented 1 year ago

Thanks @fongie !

It turns out that the ITSG changed the root CA from where they issue certificates in late 2021.

The URL for the new root CA is diga2.bitmarck-daten.de.

I've changed my mappings.xml like this: sed -i 's/diga\.bitmarck-daten\.de/diga2\.bitmarck-daten\.de/' mappings.xml and now it is working 🎉

A final question, Bitmarck mentioned the URL https://diga2.bitmarck-daten.de/diga but I understand that the /diga will be appended by the library, correct?

fongie commented 1 year ago

Ah I see, great! Yes, the client adds the endpoint (/diga) and the protocol (https)