Cannot talk to SMK/SML due to certificate issue

[javidnoutash]

Problem

Fail to communicate with SMK/SML when trying to register the SMP, delete SMP, create Services Groups, etc... with the following error:

TLDR; \ HTTP transport error: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

[2024-02-13T06:10:58,871] [SMP-SERVER] [INFO ] [http-nio-8080-exec-10] Trying to create new SMP 'SMP-XTRACTA' with physical address '<IP_ADDRESS>' and logical address 'http://<HOSTNAME>' -- com.helger.peppol.smlclient.ManageServiceMetadataServiceCaller.create(ManageServiceMetadataServiceCaller.java:185)
JAXP: find factoryId =javax.xml.stream.XMLInputFactory
MailcapCommandMap: load HOME
MailcapRegistry: can't load from file - /root/.mailcap; Exception: java.io.FileNotFoundException: /root/.mailcap (No such file or directory)
MailcapCommandMap: load SYS
MailcapRegistry: can't load from file - /opt/java/openjdk/conf/mailcap; Exception: java.io.FileNotFoundException: /opt/java/openjdk/conf/mailcap (No such file or directory)
MailcapCommandMap: load JAR
MailcapCommandMap: getResources
MailcapCommandMap: URL jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/angus-mail-2.0.2.jar!/META-INF/mailcap
MailcapCommandMap: successfully loaded mailcap file from URL: jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/angus-mail-2.0.2.jar!/META-INF/mailcap
MailcapCommandMap: load DEF
MailcapCommandMap: successfully loaded mailcap file: /META-INF/mailcap.default
MailcapCommandMap: add to PROG
MailcapCommandMap: add to PROG
MailcapCommandMap: add to PROG
MailcapCommandMap: add to PROG
JAXP: find factoryId =javax.xml.stream.XMLInputFactory
[2024-02-13T06:11:00,848] [SMP-SERVER] [WARN ] [http-nio-8080-exec-10] Technical details -- com.helger.phoss.smp.ui.SMPCommonUI.getTechnicalDetailsUI(SMPCommonUI.java:380)
com.sun.xml.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:103) ~[jaxws-rt-4.0.2.jar:4.0.2]
    at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:209) ~[jaxws-rt-4.0.2.jar:4.0.2]
    at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:131) ~[jaxws-rt-4.0.2.jar:4.0.2]
    at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:111) ~[jaxws-rt-4.0.2.jar:4.0.2]
    at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1106) ~[jaxws-rt-4.0.2.jar:4.0.2]
    at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:1020) ~[jaxws-rt-4.0.2.jar:4.0.2]
    at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:989) ~[jaxws-rt-4.0.2.jar:4.0.2]
    at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:847) ~[jaxws-rt-4.0.2.jar:4.0.2]
    at com.sun.xml.ws.client.Stub.process(Stub.java:431) ~[jaxws-rt-4.0.2.jar:4.0.2]
    at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:160) ~[jaxws-rt-4.0.2.jar:4.0.2]
    at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:78) ~[jaxws-rt-4.0.2.jar:4.0.2]
    at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:62) ~[jaxws-rt-4.0.2.jar:4.0.2]
    at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:132) ~[jaxws-rt-4.0.2.jar:4.0.2]
    at jdk.proxy3/jdk.proxy3.$Proxy53.create(Unknown Source) ~[?:?]
    at com.helger.peppol.smlclient.ManageServiceMetadataServiceCaller.create(ManageServiceMetadataServiceCaller.java:193) ~[peppol-sml-client-9.1.3.jar:9.1.3]
    at com.helger.peppol.smlclient.ManageServiceMetadataServiceCaller.create(ManageServiceMetadataServiceCaller.java:157) ~[peppol-sml-client-9.1.3.jar:9.1.3]
    at com.helger.phoss.smp.ui.secure.PageSecureSMLRegCreate._registerSMPtoSML(PageSecureSMLRegCreate.java:164) ~[phoss-smp-webapp-7.1.0.jar:7.1.0]
    at com.helger.phoss.smp.ui.secure.PageSecureSMLRegCreate.fillContent(PageSecureSMLRegCreate.java:243) ~[phoss-smp-webapp-7.1.0.jar:7.1.0]
    at com.helger.phoss.smp.ui.secure.PageSecureSMLRegCreate.fillContent(PageSecureSMLRegCreate.java:58) ~[phoss-smp-webapp-7.1.0.jar:7.1.0]
    at com.helger.photon.uicore.page.AbstractWebPage.getContent(AbstractWebPage.java:162) ~[ph-oton-uicore-9.2.1.jar:9.2.1]
    at com.helger.photon.bootstrap4.uictrls.ext.BootstrapPageRenderer.getPageContent(BootstrapPageRenderer.java:133) ~[ph-oton-bootstrap4-uictrls-9.2.1.jar:9.2.1]
    at com.helger.photon.bootstrap4.uictrls.ext.BootstrapPageRenderer.getPageContent(BootstrapPageRenderer.java:160) ~[ph-oton-bootstrap4-uictrls-9.2.1.jar:9.2.1]
    at com.helger.phoss.smp.ui.secure.SMPRendererSecure.getContent(SMPRendererSecure.java:227) ~[phoss-smp-webapp-7.1.0.jar:7.1.0]
    at com.helger.phoss.smp.ui.SMPLayoutHTMLProvider.fillBody(SMPLayoutHTMLProvider.java:70) [phoss-smp-webapp-7.1.0.jar:7.1.0]
    at com.helger.photon.core.html.AbstractSWECHTMLProvider.fillHeadAndBody(AbstractSWECHTMLProvider.java:106) [ph-oton-core-9.2.1.jar:9.2.1]
    at com.helger.photon.core.html.AbstractHTMLProvider.createHTML(AbstractHTMLProvider.java:164) [ph-oton-core-9.2.1.jar:9.2.1]
    at com.helger.photon.app.html.PhotonHTMLHelper.createHTMLResponse(PhotonHTMLHelper.java:117) [ph-oton-app-9.2.1.jar:9.2.1]
    at com.helger.photon.core.servlet.AbstractApplicationXServletHandler.handleRequest(AbstractApplicationXServletHandler.java:102) [ph-oton-core-9.2.1.jar:9.2.1]
    at com.helger.phoss.smp.servlet.SMPApplicationXServletHandler.handleRequest(SMPApplicationXServletHandler.java:81) [phoss-smp-webapp-7.1.0.jar:7.1.0]
    at com.helger.xservlet.handler.simple.XServletHandlerToSimpleHandler.onRequest(XServletHandlerToSimpleHandler.java:241) [ph-xservlet-10.1.5.jar:10.1.5]
    at com.helger.xservlet.AbstractXServlet._invokeHandler(AbstractXServlet.java:355) [ph-xservlet-10.1.5.jar:10.1.5]
    at com.helger.xservlet.AbstractXServlet.service(AbstractXServlet.java:540) [ph-xservlet-10.1.5.jar:10.1.5]
    at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658) [servlet-api.jar:6.0]
    at com.helger.xservlet.AbstractXServlet.service(AbstractXServlet.java:596) [ph-xservlet-10.1.5.jar:10.1.5]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:205) [catalina.jar:10.1.16]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) [catalina.jar:10.1.16]
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) [tomcat-websocket.jar:10.1.16]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) [catalina.jar:10.1.16]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) [catalina.jar:10.1.16]
    at com.helger.web.servlets.scope.AbstractScopeAwareFilter.doHttpFilter(AbstractScopeAwareFilter.java:82) [ph-web-10.1.5.jar:10.1.5]
    at com.helger.servlet.filter.AbstractHttpServletFilter.doFilter(AbstractHttpServletFilter.java:66) [ph-servlet-10.1.5.jar:10.1.5]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) [catalina.jar:10.1.16]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) [catalina.jar:10.1.16]
    at com.helger.xservlet.AbstractXFilter.doHttpFilter(AbstractXFilter.java:190) [ph-xservlet-10.1.5.jar:10.1.5]
    at com.helger.servlet.filter.AbstractHttpServletFilter.doFilter(AbstractHttpServletFilter.java:66) [ph-servlet-10.1.5.jar:10.1.5]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) [catalina.jar:10.1.16]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) [catalina.jar:10.1.16]
    at com.helger.servlet.filter.CharacterEncodingFilter.doHttpFilter(CharacterEncodingFilter.java:184) [ph-servlet-10.1.5.jar:10.1.5]
    at com.helger.servlet.filter.AbstractHttpServletFilter.doFilter(AbstractHttpServletFilter.java:66) [ph-servlet-10.1.5.jar:10.1.5]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) [catalina.jar:10.1.16]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) [catalina.jar:10.1.16]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) [catalina.jar:10.1.16]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) [catalina.jar:10.1.16]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482) [catalina.jar:10.1.16]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115) [catalina.jar:10.1.16]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) [catalina.jar:10.1.16]
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:673) [catalina.jar:10.1.16]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [catalina.jar:10.1.16]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:340) [catalina.jar:10.1.16]
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:391) [tomcat-coyote.jar:10.1.16]
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) [tomcat-coyote.jar:10.1.16]
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:896) [tomcat-coyote.jar:10.1.16]
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1744) [tomcat-coyote.jar:10.1.16]
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) [tomcat-coyote.jar:10.1.16]
    at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) [tomcat-util.jar:10.1.16]
    at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) [tomcat-util.jar:10.1.16]
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:10.1.16]
    at java.base/java.lang.Thread.run(Thread.java:840) [?:?]
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378) ~[?:?]
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321) ~[?:?]
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316) ~[?:?]
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357) ~[?:?]
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232) ~[?:?]
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175) ~[?:?]
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?]
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480) ~[?:?]
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458) ~[?:?]
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201) ~[?:?]
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510) ~[?:?]
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425) ~[?:?]
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) ~[?:?]
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) ~[?:?]
    at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:589) ~[?:?]
    at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187) ~[?:?]
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1430) ~[?:?]
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1401) ~[?:?]
    at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:220) ~[?:?]
    at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:90) ~[jaxws-rt-4.0.2.jar:4.0.2]
    ... 67 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) ~[?:?]
    at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) ~[?:?]
    at java.base/sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) ~[?:?]
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) ~[?:?]
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341) ~[?:?]
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232) ~[?:?]
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175) ~[?:?]
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?]
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480) ~[?:?]
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458) ~[?:?]
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201) ~[?:?]
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510) ~[?:?]
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425) ~[?:?]
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) ~[?:?]
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) ~[?:?]
    at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:589) ~[?:?]
    at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187) ~[?:?]
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1430) ~[?:?]
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1401) ~[?:?]
    at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:220) ~[?:?]
    at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:90) ~[jaxws-rt-4.0.2.jar:4.0.2]
    ... 67 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148) ~[?:?]
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129) ~[?:?]
    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) ~[?:?]
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ~[?:?]
    at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) ~[?:?]
    at java.base/sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) ~[?:?]
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) ~[?:?]
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341) ~[?:?]
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232) ~[?:?]
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175) ~[?:?]
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?]
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480) ~[?:?]
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458) ~[?:?]
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201) ~[?:?]
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510) ~[?:?]
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425) ~[?:?]
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) ~[?:?]
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) ~[?:?]
    at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:589) ~[?:?]
    at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187) ~[?:?]
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1430) ~[?:?]
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1401) ~[?:?]
    at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:220) ~[?:?]
    at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:90) ~[jaxws-rt-4.0.2.jar:4.0.2]
    ... 67 more

What I have done

• Followed all the steps in Certification Setup to setup my certificate.
• Was able to register my SMP to the SMK using your SMP - SML tools successfully.

My Test SMP certificate hierarchy:

My Setup

I have a nginx docker container working as reverse proxy, a phoss-smp docker container and an oxalis docker container for my AP.

My nginx.conf:

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name <HOSTNAME>;

    ssl_certificate /etc/nginx/certs/web.pem;
    ssl_certificate_key /etc/nginx/certs/web.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;

    location /as4 {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;

        proxy_pass http://oxalis:8080/as4;
    }

    location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_http_version 1.1;

        proxy_pass http://phoss-smp:8080;
    }
}

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name <HOSTNAME>;
    server_name *.acc.edelivery.tech.ec.europa.eu;
    server_name *.edelivery.tech.ec.europa.eu;

    location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_http_version 1.1;

        proxy_pass http://phoss-smp:8080;
    }
}

My docker-compose.yaml:

version: "3.8"
services:
  oxalis:
    image: "195185200629.dkr.ecr.ap-southeast-2.amazonaws.com/xtracta-oxalis:latest"
    container_name: oxalis
    volumes:
      - /data3/oxalis/conf:/oxalis/conf
      - /data3/oxalis/peppol/outbound:/oxalis/outbound
      - /data3/oxalis/peppol/inbound:/oxalis/inbound
    restart: unless-stopped

  phoss-smp:
    image: phelger/phoss-smp-xml:7.1.0
    container_name: phoss-smp
    volumes:
      - /data3/phoss-smp/config:/config
      - /data3/phoss-smp/logs:/usr/local/tomcat/logs
      - /data3/phoss-smp/data:/home/git/conf
    environment:
      - "CONFIG_FILE=/config/application.properties"
    restart: unless-stopped

  nginx:
    image: "nginx"
    container_name: nginx
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/data3/nginx.conf:/etc/nginx/conf.d/default.conf"
      - "/data3/certs:/etc/nginx/certs"
    restart: unless-stopped
...

My application.properties:

#
# Copyright (C) 2015-2024 Philip Helger and contributors
# philip[at]helger[dot]com
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

# Global flags for initializer
# For production debug should be false and production should be true
global.debug = true
global.production = false
global.debugjaxws = false

## Directory client

pdclient.keystore.type         = ${smp.keystore.type}
pdclient.keystore.path         = ${smp.keystore.path}
pdclient.keystore.password     = ${smp.keystore.password}
pdclient.keystore.key.alias    = ${smp.keystore.key.alias}
pdclient.keystore.key.password = ${smp.keystore.key.password}

pdclient.truststore.type     = ${smp.truststore.type}
pdclient.truststore.path     = ${smp.truststore.path}
pdclient.truststore.password = ${smp.truststore.password}

# SMP client

smpclient.truststore.type     = ${smp.truststore.type}
smpclient.truststore.path     = ${smp.truststore.path}
smpclient.truststore.password = ${smp.truststore.password}

https.hostname-verification.disabled = true

# Central directory where the data should be stored.
# This should be an absolute path in production
# Make sure write access is granted to this directory
webapp.datapath = /home/git/conf

# Should all files of the application checked for readability?
# This should only be set to true when datapath is a relative directory inside a production version
webapp.checkfileaccess = true

# Is it a test version? E.g. a separate header is shown
webapp.testversion = true

# Use slow, but fancy dynamic table on the start page?
webapp.startpage.dynamictable = false

# Participant list is enabled by default
webapp.startpage.participants.none = false

# Don't show content of extensions by default on start page
webapp.startpage.extensions.show = false

# The name of the Directory implementation
webapp.directory.name = Peppol Directory

# Don't show content of extensions by default in service groups
webapp.servicegroups.extensions.show = false

# Should the error details of failed logins be shown?
webapp.security.login.errordetails = true

# Should the /public part show a login
webapp.public.login.enabled = true

# Should the application name and version be shown on the /public part?
webapp.public.showappname = true

# Should the link to the source be shown on the /public part?
webapp.public.showsource = true

# Should the author be shown on the /public part?
webapp.public.showauthor = true

# Configure an imprint on the UI
webapp.imprint.enabled = false
webapp.imprint.text = Responsible person
webapp.imprint.href = https://www.google.com
webapp.imprint.target = _blank
webapp.imprint.cssclasses = mx-3 badge badge-primary

# Content Security Policy
csp.enabled = true
csp.reporting.only = false
csp.reporting.enabled = true

# The backend to be used. Can either be "sql" or "xml" or "mongodb". Any other value will result in a startup error
smp.backend = xml

## Keystore data

# Type (JKS or PKCS12)
smp.keystore.type          = pkcs12
# The path should be absolute for docker configuration
# Put the .p12 file in the same directory as this file (depends on the docker config)
smp.keystore.path         = /config/smp_test_cert.p12
smp.keystore.password     = *********
smp.keystore.key.alias    = cert
smp.keystore.key.password = *********

# This default truststore handles the Peppol PKIs
smp.truststore.type     = pkcs12
smp.truststore.path     = /config/smp_test_cert.p12
smp.truststore.password = *********

# Force all paths (links) to be "/" instead of the context path
# This is helpful if the web application runs in a context like "/smp" but is proxied to a root path
#smp.forceroot = false

# If this property is specified, it will overwrite the automatically generated URL
# for all cases where absolute URLs are necessary
# This might be helpful when running on a proxied Tomcat behind a web server
smp.publicurl = http://<HOSTNAME>

# Is an SML needed in the current scenario - show warnings if true
sml.required=true
sml.active=true

## Write to SML? true or false
sml.enabled=true

# The SMP ID also used in the SML!
sml.smpid=SMP-XTRACTA

# SML connection timeout milliseconds
#sml.connection.timeout.ms = 5000

# SML request timeout milliseconds
#sml.request.timeout.ms = 20000

# Enable Directory integration?
smp.directory.integration.enabled=true

# Use PEPPOL identifiers (with all constraints) or simple, unchecked identifiers?
# Possible values are "peppol", "simple" and "bdxr"
smp.identifiertype=peppol

# Define the type of the REST interface. Use this to switch between PEPPOL and BDXR
# return XMLs. Possible values are "peppol" and "bdxr"
smp.rest.type=peppol

# Log exceptions occurring in the REST API that are returned as HTTP errors?
smp.rest.log.exceptions=true

# Add payload to HTTP responses in case of REST API errors?
smp.rest.payload.on.error=true

# The time zone to be used
#smp.timezone = Europe/Vienna

# http/https Proxy settings
#http.proxyHost = <HOSTNAME>
#http.proxyPort = 80
#https.proxyHost = <HOSTNAME>
#https.proxyPort = 443
# Credentials for the proxy server (if needed)
#proxy.username =
#proxy.password =

Any ideas why I am getting the error above?

[phax]

Wow, that's how you create an issue :)

So you are running phoss SMP 7.1.0 - good.

First thing, mainly as a background information - you don't need the external page on peppol.helger.com to register your SMP. This is built-in under "Administration | SML | Register at SML". In that case you don't need to upload the certificate anywhere.

Your main problem is the Peppol certificate configuration. Please check the following: a) Does the "Certificate Information" page show 4 green ticks like this?

b) Have you made sure, that you selected the SMK (using the domain with acc. for acceptance in it) and not the SML. With the Peppol test certificate you can only access the SMK but not the SML.

c) And this is the most likely case - you fiddled with the trust store :) Please don't build your own truststore, as it will most likely not contain the certificates for SMK, SML and Directory :) For testing please use this:

smp.truststore.type     = jks
smp.truststore.path     = truststore/2018/smp-pilot-truststore.jks
smp.truststore.password = peppol

The trust store is built into the application, as it only contains trusted certificates and is therefore public.

Good luck :)

[javidnoutash]

Thanks for the quick reply!

You are right. The issue was with the truststore. I was not sure where to get it from (I could have overseen it in the documentation) so I used my SMP certificate as my truststore as well.

Setting the truststore config to what you mentioned above helped.

[javidnoutash]

@phax, Re-opening this issue to bring your attention to this:

[phax]

Yes, thanks that is a known issue. The default trust store of version 7.1.0 contains certificates that expire soon/are already expired. This will be fixed with update 7.1.1. This has NO negative impact, as the update certificate is already contained - it's an old SML root CA.