Nuova connettività e stazione non raggiungibile

Sistema di riferimento: WildFly 26.1.3 OpenJDK Red_Hat-11.0.21.0.9-1 MariaDB 10.9

Ambiente di collaudo aggiornato alla nuova connettività e funzionante al 100% fino a ..... fino al 8/1 quando mi rendo conto che qualcosa non va. Certamente ora PagoPA vuole che sia esposto il certificato completo della relativa catena e fin qui tutto ok.

Il problema è che non riesco ad effettuare un pagamento dall'ambiente uat di checkout.

openssl s_client -connect mioserver.it:9443 -showcerts

ottengo: depth=2 C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com Root Certification Authority RSA verify return:1 depth=1 C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com RSA SSL subCA verify return:1 depth=0 CN = mioserver.it verify return:1

Certificate chain 0 s:CN = mioserver.it i:C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com RSA SSL subCA a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 2 06:01:40 2023 GMT; NotAfter: Oct 2 06:01:40 2024 GMT

il mio certificato, quello della CA e il root e poi:

Server certificate subject=CN = mioserver.it issuer=C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com RSA SSL subCA

No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits

SSL handshake has read 5485 bytes and written 419 bytes Verification: OK

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: SESSIONID ......... Session-ID-ctx: Master-Key: MASTERKEY....... PSK identity: None PSK identity hint: None SRP username: None Start Time: 1705475023 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes

keystore e truststore sono stati creati così:

openssl pkcs12 -export -in mioserver_it.pem -inkey private.key -name "mioserver.it" -out mioserver.p12 keytool -importkeystore -srckeystore mioserver.p12 -srcstoretype PKCS12 -alias "mioserver.it" -destkeystore /opt/wildfly/standalone/configuration/server.keystore -storepass MIAPASSWORD -deststoretype jks

keytool -import -noprompt -file SSL_COM_ROOT_CERTIFICATION_AUTHORITY_RSA.crt -trustcacerts -alias CA -keystore /opt/wildfly/standalone/configuration/server.truststore -storepass MIAPASSWORD -deststoretype JKS keytool -import -noprompt -file SSL_COM_RSA_SSL_SUBCA.crt -trustcacerts -alias CA_ROOT -keystore /opt/wildfly/standalone/configuration/server.truststore -storepass MIAPASSWORD -deststoretype JKS keytool -import -noprompt -file forwarder.uat.platform.pagopa.it.pem -trustcacerts -alias "forwarder.uat.platform.pagopa.it" -keystore /opt/wildfly/standalone/configuration/server.truststore -storepass MIAPASSWORD -deststoretype JKS

govpay_root.log:

DEBUG | org.springframework.security.web.FilterChainProxy:222 | Securing POST /PagamentiTelematiciCCPservice DEBUG | org.springframework.security.web.context.SecurityContextPersistenceFilter:109 Set SecurityContextHolder to empty SecurityContext DEBUG | org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter:139 | Authenticating null DEBUG | org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter:50 | No client certificate found in request. DEBUG | org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter:191 No pre-authenticated principal found in request

file standalone.xml:

    <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
        <buffer-cache name="default"/>
        <server name="default-server">
            <https-listener name="https-pagopa" socket-binding="https-pagopa" ssl-context="pagopaSslContext" enable-http2="true"/>
            <http-listener name="default" socket-binding="http" redirect-socket="https-pagopa" enable-http2="true"/>
            <host name="default-host" alias="localhost">
                <location name="/" handler="welcome-content"/>
                <http-invoker http-authentication-factory="application-http-authentication"/>
            </host>
        </server>
        <servlet-container name="default">
            <jsp-config/>
            <websockets/>
        </servlet-container>
        <handlers>
            <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
        </handlers>
        <application-security-domains>
            <application-security-domain name="other" security-domain="ApplicationDomain"/>
        </application-security-domains>
    </subsystem>

<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
    <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
    <socket-binding name="http" port="${jboss.http.port:8080}"/>
    <socket-binding name="https" port="${jboss.https.port:8443}"/>
    <socket-binding name="https-pagopa" port="${jboss.https.port:9443}"/>
    <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
    <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
    <socket-binding name="txn-recovery-environment" port="4712"/>
    <socket-binding name="txn-status-manager" port="4713"/>
    <outbound-socket-binding name="mail-smtp">
        <remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
    </outbound-socket-binding>
</socket-binding-group>

Lato pagoPA mi hanno risposto (ma già me lo immaginavo ....): "Nei test che avete effettuato da checkout, la Response alla paVerifyPaymentNotice è la seguente { "categoria": "AUTORIZZAZIONE", "codice": "401", "descrizione": "Autenticazione richiesta.", "dettaglio": "Full authentication is required to access this resource" } Abbiamo effettuato dei test lato nostro nelle chiamate verso l’endpoint da voi esposto (https://mioserver.it:9443/govpay/frontend/api/pagopa/PagamentiTelematiciRTservice) Se chiamandovi inviamo il nostro certificato client, riceviamo errore di connettività"

Avrò ricontrollato un milione di volte. Dove sbaglio?

link-it / govpay

Nuova connettività e stazione non raggiungibile #673