Dss rest SSLHandshakeException post namespace upgrade to selectapi.datascope.refinitiv.com

xds-support
xds-support Newcomer

I am trying to connect to recently updated dss rest url "selectapi.datascope.refinitiv.com" and encountered the following error:

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


Solution tried: Although, I have tried steps mentioned in below Q&A post but din't work, and I also observed that certificate issuer is different. https://community.developers.refinitiv.com/questions/43909/dss-rest-api-ssl-handshake-error.html

It was working earlier with url hosted.datascopeapi.reuters.com, in addition to that it also works in case ssl verification is disabled.

Could you please help resolving this issue?

Best Answer

  • Jirapongse
    Jirapongse ✭✭✭✭✭
    Answer ✓

    @xds-support

    From the output, the Issuer of "CN=selectapi1.datascope.refinitiv.com, O=REFINITIV US LLC, STREET=3 Times Square, L=New York, ST=New York, OID.2.5.4.17=10036, C=US" has been changed to "CN=org Primary Proxy SSL Interception Service, OU=org, O=org, L=Sheffield, ST=Yorkshire, C=GB".

    chain [0] = [
    [
      Version: V3
      Subject: CN=selectapi1.datascope.refinitiv.com, O=REFINITIV US LLC, STREET=3 Times Square, L=New York, ST=New York, OID.2.5.4.17=10036, C=US
      Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

      Key:  Sun RSA public key, 2048 bits
      modulus: ....
      public exponent: 65537
      Validity: [From: Thu Feb 25 00:00:00 GMT 2021,
                   To: Fri Feb 25 23:59:59 GMT 2022]
      Issuer: CN=org Primary Proxy SSL Interception Service, OU=org, O=org, L=Sheffield, ST=Yorkshire, C=GB
      SerialNumber: [    a398486d 01000000]

    Typically, for selectapi.datascope.refinitiv.com the issuer should be "COMODO RSA Organization Validation Secure Server CA".

    I assume that it is a certificate of your internal proxy. You may need to contact your local IT support to verify the problem or you need to install the certificate file for "CN=org Primary Proxy SSL Interception Service".


Answers

  • Certificate I see on hitting padlock in url bar

    image

  • zoya faberov
    zoya faberov ✭✭✭✭✭

    Hello @xds-support,

    I can confirm that I am able to run a java example against:

    private String urlHost = "https://selectapi.datascope.refinitiv.com/RestApi/v1";

    In order to better understand the issue that you are facing:


  • Hi @zoya faberov


    I was using jdk1.8.0_66 earlier but I have upgraded to jdk1.8.0_221. Still facing same old issue.

    However, I have checked the discussion thread, there are a number of certificates on link but it is not clearly mentioned which certificate to install.


  • Jirapongse
    Jirapongse ✭✭✭✭✭

    @xds-support

    You may run the application with the following option.

    -Djavax.net.debug=all 

    Then, share the output. We may be able to verify the problem from the output log.

  • I had added below certificates besides the default cert in jdk


    • adding as trusted cert:

    Subject: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

    Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

    Algorithm: RSA; Serial number: 0xce7e0e517d846fe8fe560fc1bf03039

    Valid from Fri Nov 10 00:00:00 GMT 2006 until Mon Nov 10 00:00:00 GMT 2031

    • adding as trusted cert:

    Subject: CN=DigiCert Secure Server CA, O=DigiCert Inc, C=US

    Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

    Algorithm: RSA; Serial number: 0x69e1db77fcf1dfba97af5e5c9a24037

    Valid from Fri Mar 08 12:00:00 GMT 2013 until Wed Mar 08 12:00:00 GMT 2023


    • adding as trusted cert:

    Subject: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

    Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

    Algorithm: RSA; Serial number: 0x83be056904246b1a1756ac95991c74a

    Valid from Fri Nov 10 00:00:00 GMT 2006 until Mon Nov 10 00:00:00 GMT 2031

    • adding as trusted cert:

    Subject: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

    Issuer: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

    Algorithm: RSA; Serial number: 0x2ac5c266a0b409b8f0b79f2ae462577

    Valid from Fri Nov 10 00:00:00 GMT 2006 until Mon Nov 10 00:00:00 GMT 2031

  • Please find the logs attached, let me know if you need anything else.

    logs.txt