search

ksch-workflows / jfx-prototype

Mozilla Public License 2.0
0 stars 0 forks source link

Cannot connect to OpenMRS API without certification configuration #2

Open jmewes opened 6 years ago

jmewes commented 6 years ago

The libraries used for accessing the OpenMRS API reject to connect to an API without a proper SSL certificate. A possible workaround is to download the certification and register it in the Java keystore. This is kind of complicated and might cause problems later on.

$ java -jar ./build/jfx/app/project-jfx.jar
Exception in thread "JavaFX Application Thread" java.lang.RuntimeException: Error on attempt to do GET request on https://ksch/openmrs/ws/rest/v1/patient?identifier=Doe
    at com.experimental.openmrs.OpenMRS.get(OpenMRS.java:43)
    at com.experimental.openmrs.resources.PatientResource.findByNameOrId(PatientResource.java:17)
    at io.github.kschworkflows.services.PatientServiceImpl.findPatients(PatientServiceImpl.java:18)
    at io.github.kschworkflows.ui.RegistrationPage.<init>(RegistrationPage.java:23)
Caused by: com.mashape.unirest.http.exceptions.UnirestException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.mashape.unirest.http.HttpClientHelper.request(HttpClientHelper.java:143)
    at com.mashape.unirest.request.BaseRequest.asJson(BaseRequest.java:68)
    at com.experimental.openmrs.OpenMRS.get(OpenMRS.java:40)
    ... 48 more
jmewes commented 6 years ago

Here is a description of the workaround: https://myshittycode.com/2015/12/17/java-https-unable-to-find-valid-certification-path-to-requested-target-2/

With this command the certificate can be registered in the keystore:

JDK 9:

sudo keytool -import -trustcacerts -file $CRT_FILE -alias google -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit

JDK 8:

sudo keytool -import -trustcacerts -file $CRT_FILE -alias google -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
jmewes commented 6 years ago

For a Bahmni installation without a valid certificate on Digital Ocean even this workaround doesn't work out:

Caused by: com.mashape.unirest.http.exceptions.UnirestException: javax.net.ssl.SSLPeerUnverifiedException: Host name '207.154.220.133' does not match the certificate subject provided by the peer (EMAILADDRESS=root@centos-8gb-fra1-01, CN=centos-8gb-fra1-01, OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, ST=SomeState, C=--)
    at com.mashape.unirest.http.HttpClientHelper.request(HttpClientHelper.java:143)
    at com.mashape.unirest.request.BaseRequest.asJson(BaseRequest.java:68)
    at com.experimental.openmrs.OpenMRS.get(OpenMRS.java:40)
    ... 49 more
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name '207.154.220.133' does not match the certificate subject provided by the peer (EMAILADDRESS=root@centos-8gb-fra1-01, CN=centos-8gb-fra1-01, OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, ST=SomeState, C=--)