Re: HTTPAPI & revoked SSL cert -- RPG400-L

Justin,

What OS version are you running?

Is this random?

Can you recreate the problem outside of the HTTP server?

Is the endpoint always the same?

Since HTTPAPI is reporting the error, that is the error I would try to
recreate and solve before digging to deep into other things to try and
"fix" the issue some other way.

On Tue, Sep 18, 2018 at 5:09 PM Justin Taylor <JUSTIN@xxxxxxxxxxxxx> wrote:

Let me try and clarify what I meant by "I have a CGI webservice that uses
the HTTPAPI utility to make HTTPS calls to an outside vendor".

I have an RPGLE program that is called as a CGI program running on an IBMi
Apache server. That RPGLE program calls a service program, and that
service program uses HTTPAPI to access a 3rd party webservice over the
internet.

My theory, based mostly on speculation, is that HTTPAPI remains active in
a given job running in QHTTPSVR. Something changes with the certificate on
the remote end, but the already running CGI jobs have something still in
memory which causes the error. By bouncing Apache, all the CGI jobs are
ended and the new jobs start with a clean slate.

From: Justin Taylor
Sent: Tuesday, September 18, 2018 9:37 AM
To: 'RPG programming on the IBM i (AS/400 and iSeries)' <
rpg400-l@xxxxxxxxxxxx>
Subject: HTTPAPI & revoked SSL cert

I have a CGI webservice that uses the HTTPAPI utility to make HTTPS calls
to an outside vendor. It makes a few hundred calls a day and has been in
production for a couple of years. Twice in the past week it's started
throwing certificate errors and continued to do so until we bounced the
Apache server. I wasn't in the office when the issues occurred, so I'm
limited on what data I have.

I'm working on an automatic, and less drastic, work-around than bouncing
Apache. My RPG CGI program runs in a named activation group and doesn't
set on LR. The HTTPAPI call is in a service program that runs in *CALLER.
I'm wondering if it would help to run my service program in a named
activation group. That way, when an error occurs the calling RPG could
reclaim that named activation group. Of course, I don't know if that would
help. I'm just speculating that something within HTTPAPI is staying in
memory.

Any thoughts?

From Library : LIBHTTP
From Program : HTTPAPIR4
From Line : *STMT
To Library : LIBHTTP
To Program : HTTPAPIR4
To Line : *STMT

From user . . . . . . . . . : USER
From module . . . . . . . . : HTTPUTILR4
From procedure . . . . . . : UTIL_DIAG
Statement . . . . . . . . . : 4810
To module . . . . . . . . . : COMMSSLR4
To procedure . . . . . . . : SSL_ERROR
Statement . . . . . . . . . : 7142
Thread . . . . : 00000002

(GSKit) Certificate was rejected by the application
supplied exit program or certificate being validated by SSL processing was
revoked.

Cause . . . . . : No additional online help information is available.

Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #8 <https://www.bvstools.com/mailtool.html>: Email Logging
- Each email that is sent out is logged with a delivery status. MAILTOOL
also tracks each of the recipients for each email as well as the
attachment(s) sent along with each email.