Watson Workspace will no longer be available after February 28, 2019. Learn more.


Can not enable webhook to callback server with Let's Encrypt SSL Certificate



  • Avatar
    Joakim Arborelius

    I seem to have bad luck with my TLS connections from the watson-server... Moving my webhook-client to another (proxy-)server gave me another (TLS-related) error:

    {"timestamp":"Wed Nov 16 09:13:19 EST 2016","status":500,"reason":"Internal Server Error","errorId":8,"exception":"com.ibm.toscana.micros.appregistry.common.exceptions.OutboundOperationErrorException","message":"error on update of outbound-webhook with id 5828a276e4b08d9b99799a41: The webhook verification has failed! - details: [com.ibm.toscana.micros.outbound.common.exceptions.WebhookVerificationFailedException]: org.springframework.web.client.ResourceAccessException: I/O error on POST request for \"https://another.top.secret.server.com/watson/\": Received fatal alert: handshake_failure; nested exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure","userMessage":"App operation failed because of error on outbound-webhook operation!","path":"/api/v1/apps/10cb92f7-0693-4879-b4d0-43e7ff30e038"}


  • Avatar
    Miguel Estrada

    What is the callback URL you are using?

    Are you able to validate via hosting in bluemix?

    Trying to determine if there is a discrepancy with what certificates the java version on back end is expecting to be valid vs some other problem with the actual URL format (ie. we don't allow IP addresses or host names such as localhost....)

  • Avatar
    Joakim Arborelius

    Hey Miguel, I'd rather not publish that here on the forums for everybody to go knocking at my servers ;-/


    The first error is probably a certificate trust issue, where your host does not trust the Root CA for Let's Encrypt...

    The second error looks more like there is some kind of TLS handshake failure where the servers do not agree on TLS version and/or encryption algorithm.

    The first server is a Raspberry PI runing Apache HTTP Server 2.4.10

    The server for the second problem is a Windows Server running IBM Http Server with default SSL/TLS settings.

    The callback URL's are valid addresses (e.g. public DNS-addresses)

  • Avatar
    Joakim Arborelius

    Finally managed to enable my webhook! \o/

    It required a reconfiguration of my webserver (IBM HTTP Server so that your server and my server had a TLS Cipher in common for the TLS handshake.

    Your server/client offered the following ciphers when connecting to my server:

    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)

    My server is able to handle the following ciphers by default (for TLSv1.2):

    TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
    TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
    TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
    TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
    TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
    TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

    I was able to fix the TLS Handshake failure by adding the following parameter to my IBM HTTP Server configuration:

    SSLCipherSpec all +C02F +C027

    (It would have been fine to just add one of the "C0-ciphers", but since they're both strong ciphers I figured I can offer both of them on my server :-D )


  • Avatar
    Joakim Arborelius

    But i'm still unable to use my server with a Let's Encrypt Signed Certificate. It still complains that "The certificate issued by CN=DST Root CA X3, O=Digital Signature Trust Co. is not trusted".

    To solve this issue, your server/client needs to trust the DST Root CA X3!

    Here's more information about their certificates: https://letsencrypt.org/certificates/

    And the root certificate that has cross signed their current certificates: https://www.identrust.com/certificates/trustid/root-download-x3.html

Please sign in to leave a comment.