ERROR {org.wso2.is.notification.EventSender} - Error while sending Revocation Event

Question

In logs i'm getting this Error while opening admin page.

ERROR {org.wso2.is.notification.EventSender} - Error while sending Revocation Event to https://:/internal/data/v1/notify javax.net.ssl.SSLPeerUnverifiedException: Certificate for doesn't match any of the subject alternative names: ERROR {org.wso2.carbon.apimgt.rest.api.util.impl.OAuthOpaqueAuthenticatorImpl}

• Provided access token is invalid

in Devportal after adding new Application while going for GENERATE KEYS for the newly added one in Production Keys , below mentioned errors im getting in logs and page getting Blank.

ERROR {org.wso2.carbon.apimgt.impl.AbstractKeyManager} - Can not create OAuth application : admin_8d304dad-9f06-4236-8694-abf185393fff_PRODUCTION for application: On_104 and key type: PRODUCTION org.wso2.carbon.apimgt.impl.kmclient.KeyManagerClientException: Received status code: 500 Reason: ERROR {org.wso2.carbon.apimgt.impl.utils.APIUtil} - Error occurred while executing SubscriberKeyMgtClient.

Answer 1

This seems like an SSL issue. The SSL certificates you have created don't have the DNS name(hostname) you are trying to use as the CN or alternate names, hence SSL validation is failing. Try changing the host or try updating the cert to have alternative hosts.

Explanation

When configuring WSO2 servers you will typically create new SSL certificates and add them to Keystores. When creating an X.509 certificate you will add a field called CN(Common Name), the CN identifies the entity that the certificate represents. For example, if the certificate is for a web server, the CN might be the fully-qualified domain name (FQDN) of the server. At the same time, you can add additional identifiers to identify the entry. These alternate names can include IP addresses, domain names, etc. In an X.509 certificate, we call them SAN(Subject Alternate Names).

Now, When a client (In your case API manager) tries to connect to a server using SSL/TLS, the APIM server presents its digital certificate to the client. The client will performs several validations to ensure that the cert is valid and trusted. One such validation is the client checks that the domain name in the certificate matches the domain name of the server to that it's trying to connect. This check is performed by comparing the Common Name(CN) or SAN in the certificate.

As an example, if you are trying to call API Manager like https://myserver/api/something the server's certificate should have the myserver as the CN or in SAN.

References: https://www.cloudflare.com/learning/ssl/how-does-ssl-work/