Re: HTTPAPI & revoked SSL cert -- RPG400-L

.

On Tue, Sep 18, 2018 at 12:13 PM Justin Taylor <JUSTIN@xxxxxxxxxxxxx> wrote:

I'm sure that bouncing Apache helps by ending all the existing server
jobs. My current theory is that there's something in state, and the remote
service changes something which makes my state invalid.

No, HTTPAPI is a client. Not tied to Apache Web server in any way. Scott
can clarify, but if it's anything like GETURI, the only thing in common
would be they use DCM. And bouncing it shouldn't do anything for the
client side of things

"Most likely the endpoint server updated their SSL certificate, or it
expired." I'm pretty much convinced this is the issue. I submit hundreds
of requests a day, generally without incident. Yesterday, everything was
fine until right at 9am. We caught the problem in just a few minutes,
bounced Apache and everything was back to normal.

Is the process tied to an Apache server job? In other words, you get a
request in to one of your Apache servers, and then use HTTPAPI in the
process to make requests to another server?

If so, the problem isn't with HTTPAPI, most likely more with your Apache
server.

If the CA or Cert was expired, it would always fail. It would also be
pretty simple to verify if that was the issue.

Right now, I'm working on a method to auto-recover.

Unless there's something left out of the picture here, I'll reiterate that
the Apache server shouldn't have anything to do with HTTPAPI.

-----Original Message-----
From: Bradley Stone [mailto:bvstone@xxxxxxxxx]
Sent: Tuesday, September 18, 2018 10:16 AM
To: RPG programming on the IBM i / System i <rpg400-l@xxxxxxxxxxxx>
Subject: Re: HTTPAPI & revoked SSL cert

The apache server shouldn't have anything to do with HTTPAPI.

But, you may want to check:

1. You're on V7R2 or higher and have all the latest PTFs. If you're on
V7R1 or earlier, you may be running into the issue that the cipher used on
the server SSL cert isn't available on your system. Only fix is to update
your OS version.

2. You don't have any expired Certificates OR CAs in DCM. If so, remove
them. I've seen this cause issues even if the Cert of CA has NOTHING to do
with the application being used. *shrug*

3. Make sure you have either strict SSL turned off, or you've imported
the CAs used by the server cert.

4. Hopefully the server certificate isn't expired. I've seen that happen
to the best of them where they forget to renew (even with Google).

When errors just start happening like this, it's best to look at what has
changed. Most likely the endpoint server updated their SSL certificate, or
it expired.

I'm surprised there isn't more information in the error provided other
than the cert was rejected.

Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #16 <https://www.bvstools.com/mailtool.html>: No
external "helper" PC system required. 100% IBM i native!

--
This is the RPG programming on the IBM i (AS/400 and iSeries) (RPG400-L)
mailing list
To post a message email: RPG400-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD

Bradley V. Stone
www.bvstools.com
Native IBM i e-Mail solutions for Microsoft Office 365, Gmail, or any Cloud
Provider!