Security error when calling external API via webhook

  • 0
  • 1
  • Question
  • Updated 3 months ago
  • Answered
I am attempting to call a 3rd party API via webhook and currently getting the following security-related error  (Quickbase support provided me the logs containing the error)

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 

From research this appears to be related to invalid/missing/mismatch certs.  I was able to get the cert from the host system that is exposing the API- so the question now becomes if there is anyway for Quickbase to configure the cert on their side (if that's even relevant)

Quickbase support pointed me to the 'community' for input.

Thanks.
Photo of Scott Pugh

Scott Pugh

  • 200 Points 100 badge 2x thumb

Posted 3 months ago

  • 0
  • 1
Photo of Harrison Hersch (QB)

Harrison Hersch (QB), Quick Base Sr. Product Manager (Platform)

  • 656 Points 500 badge 2x thumb
Hi Scott. Does the other service have a valid SSL certificate? It is correct than Quick Base cannot officially support another endpoint but I'm happy to try and offer some guidance.
Photo of Scott Pugh

Scott Pugh

  • 200 Points 100 badge 2x thumb
They refer to their cert as a 'wildcard cert'.   I did export the cert and when viewing it does give messages like "Windows does not have enough information to verify this certificate"    The endpoint I am trying to hit is a development system endpoint (not production).      The challenge is that if I take the same parameters and request json into another tool like Postman I am able to successfully make the call without doing anything related to the cert.
Photo of Harrison Hersch (QB)

Harrison Hersch (QB), Quick Base Sr. Product Manager (Platform)

  • 656 Points 500 badge 2x thumb
A wildcart cert is fine. If it is dev, it is possible they are using a self-signed certificate rather than coming from a trusted authority, which Quick Base will not be able to validate. It works fine from your local PC via Postman because there is no additional security check occurring there. If you run the domain against SSL Labs, what is the result? If you aren't comfortable sharing the domain publicly, let me know and I'll reach out to you via email (I found the case).
Photo of Harrison Hersch (QB)

Harrison Hersch (QB), Quick Base Sr. Product Manager (Platform)

  • 656 Points 500 badge 2x thumb
Hi. I found the domain in the ticket and confirmed the certificate exists but is invalid for numerous reasons. For the security of everyone on the Quick Base platform, we are only able to connect to valid HTTPS endpoints that are properly secured. This protection helps to keep you and your data safe. I'd suggest reaching out to the service provider to see if they can install a proper certificate on that web server.

Feel free to let us know of other questions or concerns.
Photo of Scott Pugh

Scott Pugh

  • 200 Points 100 badge 2x thumb
Harrison-  Many thanks for your help.  I will work with the provider to install a valid cert.

Thanks again.
Photo of Harrison Hersch (QB)

Harrison Hersch (QB), Quick Base Sr. Product Manager (Platform)

  • 656 Points 500 badge 2x thumb
Great. Glad I could help.