SSLPeerUnverifiedException: Hostname api.koios.rest not verified (no certificates)

[kunalransing]

Jar version -

io.github.cardano-community
koios-java-client
1.10

Java Version - jdk-11.0.2

What operating system are you using, and which version?

• Linux / AWS Linux

Steps to Reproduce

1. when we call addressService.getAddressTransactions(addresses, options) then sometime give error as SSLPeerUnverifiedException: Hostname api.koios.rest not verified (no certificates)

Expected Behavior

It should not give error - SSLPeerUnverifiedException: Hostname api.koios.rest not verified (no certificates)

Actual Behavior

Sometime service gives below error

rest.koios.client.backend.api.base.exception.ApiException: Hostname api.koios.rest not verified (no certificates)
	at rest.koios.client.backend.api.address.impl.AddressServiceImpl.getAddressTransactions(AddressServiceImpl.java:81) ~[koios-java-client-1.10.jar!/:na]
	at rest.koios.client.backend.api.address.impl.AddressServiceImpl.getAddressTransactions(AddressServiceImpl.java:65) ~[koios-java-client-1.10.jar!/:na]
	at com.eno.adawallet.blockchain.KoiosBlockHelperService.getAddressesTxs(KoiosBlockHelperService.java:74) ~[classes!/:1.0.0]
	at com.eno.adawallet.ADAWalletBean.processReceive(ADAWalletBean.java:451) ~[classes!/:1.0.0]
	at com.eno.adawallet.ADAWalletBean$$FastClassBySpringCGLIB$$fb418adb.invoke(<generated>) ~[classes!/:1.0.0]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.3.18.jar!/:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:689) ~[spring-aop-5.3.18.jar!/:5.3.18]
	at com.eno.adawallet.ADAWalletBean$$EnhancerBySpringCGLIB$$a8235744.processReceive(<generated>) ~[classes!/:1.0.0]
	at com.eno.adawallet.timer.ADATimer.processReceiveTxTimer(ADATimer.java:94) ~[classes!/:1.0.0]
	at com.eno.adawallet.timer.ADATimer$$FastClassBySpringCGLIB$$11df0ffc.invoke(<generated>) ~[classes!/:1.0.0]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.3.18.jar!/:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:783) ~[spring-aop-5.3.18.jar!/:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.3.18.jar!/:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar!/:5.3.18]
	at org.springframework.aop.interceptor.AsyncExecutionInterceptor.lambda$invoke$0(AsyncExecutionInterceptor.java:115) ~[spring-aop-5.3.18.jar!/:5.3.18]
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[na:na]
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[na:na]
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[na:na]
	at java.base/java.lang.Thread.run(Thread.java:834) ~[na:na]
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Hostname api.koios.rest not verified (no certificates)
	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:396) ~[okhttp-4.9.0.jar!/:na]
	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337) ~[okhttp-4.9.0.jar!/:na]
	at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209) ~[okhttp-4.9.0.jar!/:na]
	at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226) ~[okhttp-4.9.0.jar!/:na]
	at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106) ~[okhttp-4.9.0.jar!/:na]
	at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74) ~[okhttp-4.9.0.jar!/:na]
	at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255) ~[okhttp-4.9.0.jar!/:na]
	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32) ~[okhttp-4.9.0.jar!/:na]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) ~[okhttp-4.9.0.jar!/:na]
	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95) ~[okhttp-4.9.0.jar!/:na]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) ~[okhttp-4.9.0.jar!/:na]
	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83) ~[okhttp-4.9.0.jar!/:na]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) ~[okhttp-4.9.0.jar!/:na]
	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76) ~[okhttp-4.9.0.jar!/:na]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) ~[okhttp-4.9.0.jar!/:na]
	at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201) ~[okhttp-4.9.0.jar!/:na]
	at okhttp3.internal.connection.RealCall.execute(RealCall.kt:154) ~[okhttp-4.9.0.jar!/:na]
	at retrofit2.OkHttpCall.execute(OkHttpCall.java:204) ~[retrofit-2.9.0.jar!/:na]
	at rest.koios.client.backend.api.base.BaseService.execute(BaseService.java:97) ~[koios-java-client-1.10.jar!/:na]
	at rest.koios.client.backend.api.address.impl.AddressServiceImpl.getAddressTransactions(AddressServiceImpl.java:78) ~[koios-java-client-1.10.jar!/:na]

[rdlrt]

The certificate is letsencrypt signed. If you have troubles, it's possible you may not have recent enough CA certs on your Java truststore (alternatively, you can always add cert to your trust store)

[kunalransing]

I have downloaded base64 certificate chain like below

Imported downloaded cer using below java command
$/opt/jdk-11.0.2/bin/keytool -import -alias ca -file api.koios.rest.cer -keystore cacerts -storepass xxx

but still im getting same error. Can you help me to fix it, please ?
@rdlrt

[rdlrt]

I have downloaded base64 certificate chain like below

Imported downloaded cer using below java command $/opt/jdk-11.0.2/bin/keytool -import -alias ca -file api.koios.rest.cer -keystore cacerts -storepass xxx

but still im getting same error. Can you help me to fix it, please ? @rdlrt

When importing certs to trust store, it's always better to extract root/Intermedia certificates instead of server certificate, you can extract those using openssl

[kunalransing]

@rdlrt
I have tried using below way also still same error
$ echo "" | openssl s_client -connect api.koios.rest:443 -showcerts 2>/dev/null | openssl x509 -out certfile.txt
Then imported certfile.txt to java truststore.
Any idea what is wrong?

[rdlrt]

You're getting server certificate, not the issuers. You might wanna read this blog and checkout examples here

[kunalransing]

Thanks for your help. I have tried root & CA certificates but didn't worked.
https://letsencrypt.org/certificates/
Now using plain java HTTP code & working fine.