Security Certificate Issues : Cannot run API script without bypassing certificate validation

Certificate Issues - Calling API without bypassingCertification always results in the following error message: IOError: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

At our facilities we use a lot of APIs to allow us to interact with software that we would otherwise not have any access to... recently we added certificates to our Ignition gateways in an attempt to keep things as secure as possible. The API calls that we are using work well, however when we try to call them in Ignition we Almost always get the error message shown above. The ONLY instance that I am aware of where this is not happening is a form that calls the same API that generated the error message shown here from within a Change Script of a text field. When I target the API with a get request, from within the context of that field the data is returned to me as if I had the "bypassCertValidation = True " switch on the call... but I do not.
When I run the API call from the update script of that text field, I don't get any error messages , not in the log, not on the form... no where. Now, I can copy that call directly from that script into the script console, and it gives an error every time I try to run it.
I have tested it from 4 or 5 of our gateways including one of which is running a certificate as a web server directly... and I still get the same error.

I have reviewed the forums , and I have copied the certificate for the API destination url to gateway's certificate store , I have copied it to the client certificate store... a lot of things in between... I went through every forum post that I could find with regard to this, and still I am getting the same results...

Does anyone have any idea what my issue could be?
The CA is not self signed , but was purchased form a certificate Authority - and I have tried various formats of it as well.

Honestly I don't know what to try next...

The next two screenshots are examples of one of the APIs that I have tested (We have over a dozen, and every one that I test results in the same error)

Failed Example (Without Bypassing Certificate)1805×776 364 KB

(Here is the example of my code failing with this error message:
"sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" )

Here is an example of that exact same code, with one change - I added the following switch in the client declaration: ... see line 18 in the script console screen shot...

Successful Example (Bypassing Certification)2027×1354 248 KB

I can add an actual copy of the script if it will help... if you have any ideas, I'll be happy to implement them... at this point, I am not really sure where to go. I don't know if this is something that has not been enabled yet, or if there's an issue with my implementation: however, I can run these APIs in testing applications such as SoapUI, and it succeeds without issue.

As I mentioned before, if I take the code for one of the APIs and run it inside of a field change event script, it will succeed without having to bypass the certification.

Here is the script itself:

Example From a text field change event script that works without bypass necessary1577×804 135 KB

and here is a screen shot of the control itself that I took this example from:

text field in example1913×868 195 KB

To fix this case where you are running it from the script console, you would need to add the root CA certificate that signed the certificate used by whatever server is hosting your API to the Designers’s supplemental certificates.

You also need to make sure to reference that server by its hostname or IP address that is embedded in the certificate Subject Alternative Names extension.

Kevin,
Thanks for the response...
If you are referring to the .ignition\clientlauncher-data\certificates folder, I tried that after reading it in another forum post before creating this one (I tried to go through them all before I created a new one)...

Here is a screen shot of that folder with the certificates that I have exported and copied there... I have also (just fyi), right clicked on each of them and "installed" them ... (Just FYI: I am running the tests on my development machine on a local installation of Ignition: so that I had easier access to the file structure of the machine being used as a gateway...

In this screenshot however, the folder I am referencing is of course from the designer / client side:

DesignerCertificateStore1146×343 62 KB

Is there something I am missing here that I need to do?

This is interesting, it could mean you've trusted the necessary certificates in the Gateway scope but not in the Client/Designer. You need to add them to something like ~/.ignition/clientlauncher-data/certificates on each computer you would execute a script in the Client or Designer (Script Console is Designer) as well.

That's the right folder, but much of the content looks to be unnecessary (anything that isn't a certificate), and I couldn't tell you if you have the right certificates.

yes, I am aware that a lot of that was un-necessary... lol, I just copied some of my previous attempts (Certs that I added to the gateway) to cover all the bases... but after reading the other post referencing this folder I exported the cert directly from the API target... the root cert... and copied it here.

I can take some screen shots of the way I exported this if you think you might be able to see something I missed...

This issue is basically always one of these issues:

• root CA certificate (or self-signed leaf) isn't present in supplemental cert store
• URL isn't being accessed via a hostname (or IP) in the certificate
• there is a firewall/proxy/network appliance intercepting all traffic with a corp root CA, and this CA isn't in the supplemental cert store

You're probably going to have to share certificates and URLs to troubleshoot this, so if you consider those sensitive you'll have to call support.

They're just not accessible outside of our network... I don't think there's any issue with you seeing the target - but I don't think you'll be able to access it directly...

If you have openssl installed you can download/view the certificate chain via something like:

openssl s_client -showcerts -connect hostname:443

Gotta start from the beginning - figure out what the root is, then make sure it's in that certificate directory.

I'm not sure how you would do this on Windows or without openssl... maybe Chrome let's you download/export the cert chain in the browser?

Yes...I used Chrome to download / export the certificate... I'll show you : Give me a min and I'll create a couple of screen shots of the way I did this.

Don't need screenshots, just the actual cert files.

WOW... ok, I finally got one of these to work. It looks like the only one that I did not get to work was self signed... but the other one, the one I started this conversation about ... worked !
SO... here's my related question:
I had to copy the root certificate over to the designer certificate store on the client... Is there a way around having to copy this to EVERY client that runs the API ?

No, but you only need to do this to run the scripts in the Designer or a Vision Client.

It looks like you are using Perspective, which would be covered by setting these certificates up once on the Gateway.

I see...ok, good deal.
I'm not sure where I missed this the first time, unless I didn't export root certificate when I tested it: I'm not sure. It seemed like I did the exact same thing I had already done, but this time it worked. You've given me enough info to figure out what happened, and which way to go from here.

Thanks for the help...

If I run info any snags, I reach back out sir... Thanks again

Maybe didn't restart the Designer after adding the certs?