Error when changing IP and certificate on wso2-IoT

Question

I have just installed the new version of wso2-iot(3.1.0).

I order to use it remotely, I have changed the IP from localhost to the IP address of my server with the script /scripts/change-ip.sh.

All seems to work well, but when I login into https://IP:9443/devicemgr, I got the message bellow :

An Error Occurred!
HTTP Status : 500

org.wso2.carbon.apimgt.integration.client.exception.APIMClientOAuthException: failed to retrieve oauth token using jwt

Has someone experienced the same problem ? Is there a solution ?

Thanks

---

I've tried to install wso2-iot on 3 servers :

• It works on a Debian 9.1 with openjdk version "1.8.0_141"
• I fails on a Debian 8.8 with openjdk version "1.8.0_141"
• It fails on a Debian 8.7 with java version "1.8.0_144"

Answer 1

One reason for the issue is not having the correct certificate in the IoT_Home/conf/identity/identity-providers/iot_default.xml. Please make sure to add that correctly. Reason for that could be that in the change-ip.sh script "sed -e" does not work on some linux os versions.

Answer 2

When I run the io-server.sh script, I got the java message bellow

[2017-09-04 09:25:05,244] [IoT-Core]  INFO - {org.wso2.carbon.ui.internal.CarbonUIServiceComponent} Mgt Console URL  : https://10.5.0.68:9443/carbon/
[2017-09-04 09:25:11,654] [IoT-Core] ERROR - {org.apache.synapse.transport.passthru.TargetHandler} I/O error: Host name verification failed for host : ducky.domaine-mairie.lan
javax.net.ssl.SSLException: Host name verification failed for host : ducky.domaine-mairie.lan
    at org.apache.synapse.transport.http.conn.ClientSSLSetupHandler.verify(ClientSSLSetupHandler.java:171)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:308)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:410)
    at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:119)
    at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:159)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:338)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:316)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:277)
    at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:105)
    at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:586)
    at java.lang.Thread.run(Thread.java:748)
[2017-09-04 09:25:11,726] [IoT-Core]  WARN - {org.apache.synapse.endpoints.EndpointContext} Endpoint : AnonymousEndpoint with address https://{uri.var.hostname}:{uri.var.portnum}/oauth2/token will be marked SUSPENDED as it failed
[2017-09-04 09:25:11,728] [IoT-Core]  WARN - {org.apache.synapse.endpoints.EndpointContext} Suspending endpoint : AnonymousEndpoint with address https://{uri.var.hostname}:{uri.var.portnum}/oauth2/token - current suspend duration is : 30000ms - Next retry after : Mon Sep 04 09:25:41 CEST 2017
Exception in thread "Thread-36" org.wso2.carbon.apimgt.integration.client.exception.APIMClientOAuthException: failed to retrieve oauth token using jwt
    at org.wso2.carbon.apimgt.integration.client.OAuthRequestInterceptor.apply(OAuthRequestInterceptor.java:118)
    at feign.SynchronousMethodHandler.targetRequest(SynchronousMethodHandler.java:158)
    at feign.SynchronousMethodHandler.executeAndDecode(SynchronousMethodHandler.java:88)
    at feign.SynchronousMethodHandler.invoke(SynchronousMethodHandler.java:76)
    at feign.ReflectiveFeign$FeignInvocationHandler.invoke(ReflectiveFeign.java:103)
    at com.sun.proxy.$Proxy40.apisGet(Unknown Source)
    at org.wso2.carbon.apimgt.webapp.publisher.APIPublisherServiceImpl.publishAPI(APIPublisherServiceImpl.java:53)
    at org.wso2.carbon.apimgt.webapp.publisher.APIPublisherStartupHandler.publishAPIs(APIPublisherStartupHandler.java:97)
    at org.wso2.carbon.apimgt.webapp.publisher.APIPublisherStartupHandler.access$500(APIPublisherStartupHandler.java:30)
    at org.wso2.carbon.apimgt.webapp.publisher.APIPublisherStartupHandler$1.run(APIPublisherStartupHandler.java:69)
    at java.lang.Thread.run(Thread.java:748)
Caused by: org.wso2.carbon.identity.jwt.client.extension.exception.JWTClientException: Error when parsing the response <am:fault xmlns:am="http://wso2.org/apimanager"><am:code>101500</am:code><am:type>Status report</am:type><am:message>Runtime Error</am:message><am:description>Error in Sender</am:description></am:fault>
    at org.wso2.carbon.identity.jwt.client.extension.JWTClient.getTokenInfo(JWTClient.java:169)
    at org.wso2.carbon.identity.jwt.client.extension.JWTClient.getAccessToken(JWTClient.java:79)
    at org.wso2.carbon.apimgt.integration.client.OAuthRequestInterceptor.apply(OAuthRequestInterceptor.java:99)
    ... 10 more
Caused by: Unexpected character (<) at position 0.
    at org.json.simple.parser.Yylex.yylex(Unknown Source)
    at org.json.simple.parser.JSONParser.nextToken(Unknown Source)
    at org.json.simple.parser.JSONParser.parse(Unknown Source)
    at org.json.simple.parser.JSONParser.parse(Unknown Source)
    at org.json.simple.parser.JSONParser.parse(Unknown Source)
    at org.wso2.carbon.identity.jwt.client.extension.JWTClient.getTokenInfo(JWTClient.java:153)
    ... 12 more

where 10.5.0.68 is the IP of my server and ducky.domaine-mairie.lan the name of the server. Apparently, the script tries to use the dns name instead of the IP. I hope this would help to the resolution.

Answer 3

change-ip.sh is not to my taste finalized. There is a lack of information

Answer 4

Similar issue was discussed here

One reason for the issue could be /etc/hosts file is having entries pointing the machine IP to a hostname. Even IP is pointed to localhost could result in this issue. This happens when common name of the certificate is being verified, it is pointed to a host name. As the common name of the certificate is the local IP (created by the change-ip.sh script), and when the hostname is found from the /etc/hosts file which is having the same IP, will result in host name verification failure. This will result in the above issue, not able to retrieve the JWT token. A similar issue was reported here