Unable to POST on a REST API using https

Ben_Hunt · November 21, 2022, 6:11pm

Our company uses ERP software to keep track production and they expose an API for use. I use ignition and the API to interface with the ERP software which is hosted locally we recently updated software with a new requirement of all request to use https . I use the httpClient to send my payload over but it raises an exception attached below. I am cannot POST to the server and I believe SSL has something to do with it. My question is if this has to do with Ignition SSL certificate not being valid and so the server then rejects the connection, or is Ignition refusing to connect to the server based on the servers SSL certificate?

Any help is greatly appreciated.

example script:

query = 'SELECT 1'
client = system.net.httpClient()
url = "https://172.16.10.109/odyssey/api/FetchData/SQL"
companyID = system.tag.read('[default]Odyssey/CompanyID').value
params = {
  "SQLQuery": query,
  "Page": 1,
  "BatchSize": 1800,
  "CompanyID": companyID,
  "APIKey":"the api key"
}
client.post(url, data=params)

resulting in

Traceback (most recent call last):
  File "<input>", line 12, in <module>
	at com.inductiveautomation.ignition.common.script.builtin.http.JythonHttpClient.send(JythonHttpClient.java:94)
	at com.inductiveautomation.ignition.common.script.builtin.http.JythonHttpClient.post(JythonHttpClient.java:309)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
java.io.IOException: java.io.IOException: Unable to POST https://172.16.10.109/odyssey/api/FetchData/SQL
	at org.python.core.Py.JavaError(Py.java:552)
	at org.python.core.Py.JavaError(Py.java:543)
	at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:190)
	at org.python.core.PyObject.__call__(PyObject.java:438)
	at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
	at org.python.core.PyMethod.__call__(PyMethod.java:228)
	at org.python.pycode._pyx40.f$0(<input>:12)
	at org.python.pycode._pyx40.call_function(<input>)
	at org.python.core.PyTableCode.call(PyTableCode.java:171)
	at org.python.core.PyCode.call(PyCode.java:18)
	at org.python.core.Py.runCode(Py.java:1614)
	at org.python.core.Py.exec(Py.java:1658)
	at org.python.util.PythonInterpreter.exec(PythonInterpreter.java:276)
	at org.python.util.InteractiveInterpreter.runcode(InteractiveInterpreter.java:131)
	at com.inductiveautomation.ignition.designer.gui.tools.jythonconsole.JythonConsole$ConsoleWorker.doInBackground(JythonConsole.java:605)
	at com.inductiveautomation.ignition.designer.gui.tools.jythonconsole.JythonConsole$ConsoleWorker.doInBackground(JythonConsole.java:593)
	at java.desktop/javax.swing.SwingWorker$1.call(Unknown Source)
	at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
	at java.desktop/javax.swing.SwingWorker.run(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.base/java.lang.Thread.run(Unknown Source)
Caused by: java.io.IOException: Unable to POST https://172.16.10.109/odyssey/api/FetchData/SQL
	at com.inductiveautomation.ignition.common.script.builtin.http.JythonHttpClient.send(JythonHttpClient.java:94)
	at com.inductiveautomation.ignition.common.script.builtin.http.JythonHttpClient.post(JythonHttpClient.java:309)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:188)
	... 19 more
Caused by: java.io.IOException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.net.http/jdk.internal.net.http.HttpClientImpl.send(Unknown Source)
	at java.net.http/jdk.internal.net.http.HttpClientFacade.send(Unknown Source)
	at com.inductiveautomation.ignition.common.script.builtin.http.JythonHttpClient.send(JythonHttpClient.java:92)
	... 25 more
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(Unknown Source)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(Unknown Source)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(Unknown Source)
	at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown Source)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown Source)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(Unknown Source)
	at java.base/java.util.ArrayList.forEach(Unknown Source)
	at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.lambda$executeTasks$3(Unknown Source)
	at java.net.http/jdk.internal.net.http.HttpClientImpl$DelegatingExecutor.execute(Unknown Source)
	at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.executeTasks(Unknown Source)
	at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.doHandshake(Unknown Source)
	at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate$Reader.processData(Unknown Source)
	at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate$Reader$ReaderDownstreamPusher.run(Unknown Source)
	at java.net.http/jdk.internal.net.http.common.SequentialScheduler$SynchronizedRestartableTask.run(Unknown Source)
	at java.net.http/jdk.internal.net.http.common.SequentialScheduler$CompleteRestartableTask.run(Unknown Source)
	at java.net.http/jdk.internal.net.http.common.SequentialScheduler$SchedulableTask.run(Unknown Source)
	... 3 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.validator.PKIXValidator.doBuild(Unknown Source)
	at java.base/sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
	at java.base/sun.security.validator.Validator.validate(Unknown Source)
	at java.base/sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
	... 22 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
	at java.base/java.security.cert.CertPathBuilder.build(Unknown Source)
	... 28 more
Traceback (most recent call last):
  File "<input>", line 12, in <module>
	at com.inductiveautomation.ignition.common.script.builtin.http.JythonHttpClient.send(JythonHttpClient.java:94)
	at com.inductiveautomation.ignition.common.script.builtin.http.JythonHttpClient.post(JythonHttpClient.java:309)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
java.io.IOException: java.io.IOException: Unable to POST https://172.16.10.109/odyssey/api/FetchData/SQL

Kevin.Herron · November 21, 2022, 6:25pm

It's this one. Your server certificate is either self-signed or signed by an internal CA, and you need to add that certificate or CA to Ignition's trust store.

https://docs.inductiveautomation.com/display/DOC81/Security+Certificates#SecurityCertificates-AddingSecurityCertificatesintoKeyStores

Ben_Hunt · November 21, 2022, 6:27pm

Oh alright. Thanks. I'm on 8.0.12 does the document linked still hold true for that?

Kevin.Herron · November 21, 2022, 6:29pm

I think so: Adding Security Certificates into KeyStores - Ignition User Manual 8.0 - Ignition Documentation

Where you're actually running this script is important too. Your stack traces show that it's in a Client or Designer, so you'd have to add the certificate to the client trust store. If you'll ultimately run it on the Gateway then you'll have to add it there as well.

Ben_Hunt · November 21, 2022, 6:34pm

Great thanks. Much appreciated

Ben_Hunt · November 21, 2022, 9:33pm

Sorry, @Kevin.Herron, dropping the certificates into %ignition install%/data/certificates/supplemental still yields the error. I'm getting the certificate from exporting it from chrome and then placing it in the directory. Is that an acceptable way for getting the certificate? I also placed the certificate into ~/.ignition/clientlauncher-data/certificates .

Kevin.Herron · November 21, 2022, 9:38pm

If you got it from Chrome you may have only gotten the leaf, not the root.

You also would want to restart the Gateway or Client/Designer after adding it just in case.

Ben_Hunt · November 21, 2022, 9:41pm

Yup restarted the server same behaviour. Leaf vs root implies that I don't get the full certificate from chrome?

Kevin.Herron · November 21, 2022, 9:50pm

Don't know without looking at it. If it's self-signed it's just one certificate and the leaf is the root. Otherwise there's a certificate chain and I'm not sure what you got and imported into Ignition.

Ben_Hunt · November 21, 2022, 9:54pm

It is a self signed certificate.

Kevin.Herron · November 21, 2022, 10:01pm

Can you upload it here? or DM it to me? There shouldn't be anything confidential about it.

Ben_Hunt · November 21, 2022, 10:02pm

Kevin.Herron · November 21, 2022, 10:05pm

Okay, well, I haven't seen this before:

Seems suspicious.

Also this certificate was issued using the DNS name, so you would also have to access this sever using that same DNS name, not the IP address as you're doing.

edit: that text ("The original certificate provided...") is literally embedded in the certificate as the issuer name. Seems wrong.

Ben_Hunt · November 21, 2022, 10:13pm

Hm, yes I wondered about that. I believe this certificate was generated from our ERP software automatically but that's according to one of my co-workers. So would issuing a new certificate be beneficial?

Kevin.Herron · November 21, 2022, 10:20pm

Might be necessary. You can try using the bypass_cert_validation parameter for now... system.net.httpClient - Ignition User Manual 8.1 - Ignition Documentation

Ben_Hunt · November 21, 2022, 10:35pm

Ok thanks. The error changed now Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 172.16.10.109 found likely as you said because of the dns name.