Re: Unable to connect to Experience Service (HTTPS...

dsgnrClarK · ‎Jun 12, 2020

Hi there

Here is the situation
Thingworx 8.5.5 works with CERTIFICATE.JKS on Tomcat 8.5.43 (NOT a self-signed-certificate)
Experience Service 8.5.9 uses protocol HTTP, everything works

When trying to apply Certificate to Experience Service,
CERTIFICATE.JKS is converted to CERTIFICATE.PFX for usage.

start-es
results error (similar here: https://community.ptc.com/t5/Vuforia-Studio/Customer-used-to-Vuforia-Studio-OnPremise-before-and-tried-to/m-p/580637/highlight/true#M4610)

Error: unable to verify the first certificate
at TLSSocket.onConnectSecure (_tls_wrap.js:1473:34)
at TLSSocket.emit (events.js:311:20)
at TLSSocket._finishInit (_tls_wrap.js:916:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:686:12) {
code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'

start-es --allowssc would fire up Experience Service
Both https://<server>:2019/ExperienceService/ping

and https://<server>:2019/ExperienceService/id-resolution/resolutions/?key=urn:vuforia:nokey&resourcetype=Experience&wNdp=768&aspect=spatial-tracking works with TLS on desktop/iOS/Android

ISSUE

Using https://<server>:2019 for Vuforia View APP Experience Service URL
Everything works with iOS device

Not working with Android device: nothing in the Library, and "Whoops! Error loading Experience" message shows up when opening an experience

Same issue with PEM Certificate on Experience Service

Android logfile Error

javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

Similar here: https://community.ptc.com/t5/Vuforia-Studio/Vuforia-View-does-not-pulling-the-experiences-from-On-Premises/m-p/615476/highlight/true#M6047

The Root CA is in the list of System Trusted credentials already.

Buy the way, no Cleartext issue in the logfile(https://community.ptc.com/t5/Vuforia-Studio/Vuforia-View-quot-Connection-Error-quot-while-scanning-the/m-p/597043#M5226)

How to resolve the issue?

Any reply is appreciated,

Thanks in advanded

SETUP(same macchine): JAVA 1.8.0_192-b12, Tomcat 8.5.43, TWX 8.5.5, ES 8.5.9, Android 9

tmccombie · ‎Jun 24, 2020

Android devices are a little more particular about the certs they will allow if they aren't from a well known CA.

Check out this article: https://www.ptc.com/en/support/article/CS301678

Are you using a private organization CA? Do you have any intermediate certificates? If so, have you created a cert bundle?

dsgnrClarK · ‎Jun 29, 2020

Thanks for reply.

The certificate is issued by TWCA (https://www.twca.com.tw/portal/english/coporate_profile/milestones.html), which is in the list of System Trusted credentials already.

android 9, TWCA.jpg

No intermediate certificates.

dsgnrClarK · ‎Nov 11, 2021

While unsuccessfully configuring the certificate for the Experience Service, it remains using HTTP only.

Use MED-61226-CD-XXX_SPX_es-X-X-X-bXXXX-XXX-windows-installer.exe which downloaded from https://support.ptc.com/appserver/auth/it/esd/product.jsp?prodFamily=VFS.

Modify

Then Use HTTP (No TLS)

After processing, in configuration.json shows

  "port": 2019,
  "realm": "ThingWorx",
  "httpsKeyPath": "",
  "httpsCrtPath": "",
  "httpsCaPath": null,
  "httpsPfxPath": null,
  "httpsCertPassphrase": "",

In Vuforia View, Experience Service URL is set to http://<server>:2019

Unable to connect to Experience Service (HTTPS protocol) with Android device

Unable to connect to Experience Service (HTTPS protocol) with Android device