Certificate sent by the other side could not be validated - Oracle Wallet

Question

I have written following code in PL/SQL for calling 3rd party APIs from Oracle 11g.

Begin

  -- preparing Request...
  l_http_request := UTL_HTTP.begin_request ('https://www..........'
                                          , 'GET'
                                          , 'HTTP/1.1');   
  -- set header's attributes...                                          
  UTL_HTTP.set_header(l_http_request, 'Content-Type', 'application/json');
  UTL_HTTP.set_header(l_http_request, 'Content-Length', LENGTH(t_request_body));
  UTL_HTTP.set_header(l_http_request, 'Api-Key','..............');

  -- get Response and obtain received value
  l_http_response := UTL_HTTP.get_response(l_http_request);

  UTL_HTTP.read_text(l_http_response, l_response_text);

end;

When I run this code I'm getting following error

Error report:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1130
ORA-29024: Certificate validation failure
ORA-06512: at line 13
29273. 00000 -  "HTTP request failed"
*Cause:    The UTL_HTTP package failed to execute the HTTP request.
*Action:   Use get_detailed_sqlerrm to check the detailed error message.
           Fix the error and retry the HTTP request.

I figured out that this is caused by 'https' protocole. So I downloaded all relevant certificates and then handed over to our DB team. Though they have configured Oracle wallet with these certificates, still we are getting the same error report.

Any thoughts?

UPDATE: I've added following code as the very first lines in begin block...

  UTL_HTTP.SET_DETAILED_EXCP_SUPPORT(TRUE); 
  UTL_HTTP.SET_WALLET('file:/../wallet','pwd.....' );

But now it gives following exception "Certificate is invalid" though the certificate sender confirms its validity. Also the validity could be confirmed by looking at this external ssl checker too: https://www.sslshopper.com.

Error report:
ORA-29024: Certificate validation failure
ORA-06512: at "SYS.UTL_HTTP", line 1128
ORA-06512: at line 16
29024. 00000 -  "Certificate validation failure"
*Cause:    The certificate sent by the other side could not be validated. This may occur if
           the certificate has expired, has been revoked, or is invalid for another reason.
*Action:   Check the certificate to determine whether it is valid. Obtain a new certificate,
           alert the sender that there certificate has failed, or resend.

Please note that I've tired all formats of certificate files (Base-64 encoded / PKCS#7 etc.) as explained in http://oracle-base.com/articles/misc/utl_http-and-ssl.php

Any thoughts?

Answer 1

Personally, I find it a pain to load the certificates of each and every website you want to access in an Oracle Wallet (which is probably why you're getting the error--you need to install the certificates and chains of the website you're trying to access into the Wallet).

The easiest thing to do is install stunnel https://www.stunnel.org/index.html

Configure stunnel to listen for incoming connections on a local port such as 8800 and then make an outbound connection to somesite.com:443.

Something like this:

1.  oracle issues a get as: http://localhost:8080/index.html
2.  stunnel intercepts the request and gets https://somesite.com/index.html
3.  stunnel gives results to oracle 

This allows Oracle to communicate via http to stunnel, then stunnel communicates to https://somesite.com and delivers the data back to oracle on port 80.

This completely bypasses the Oracle Wallet.

As this is not a direct answer to your question, it surely solves the many, many issues with Oracle Wallet and in my opinion is the best solution.