Google is committed to advancing racial equity for Black communities. See how.

Custom domain configuration fails with invalid virtual host error in integrated developer portal

Symptom

Users get an Invalid virtual host value error while configuring the keystore, alias, and domain information for an integrated developer portal: Publish > Portals > Developer Portal > Settings > Domains.

Error message

The following error message is displayed:

Invalid virtual host value (id: <value>)

The error message is displayed in the Edge UI as shown below:

Error message displayed across the top of Publish > Portals > Developer Portal > Settings > Domains

Possible causes

Cause Description Troubleshooting instructions applicable for
TLS certificate chain provided is not in PEM format TLS certificate chains used in virtual hosts must be in PEM format. If a TLS certificate chain in non-PEM format is used, custom domain configuration will fail. Edge Public Cloud users
TLS certificate and key were provided in single file TLS certificate chain and private key need to be provided in individual files when uploading to the keystore. Otherwise, custom domain configuration will fail. Edge Public Cloud users

Cause: TLS certificate chain provided is not in PEM format

Diagnosis

  1. Verify that the TLS certificate chain is in PEM format.
  2. If the specific TLS certificate chain is not in PEM format, then it will cause the virtual host creation process to fail in the integrated developer portal. As a result, the above error message is displayed to the user on the custom domain configuration page of the Edge UI.

Resolution

If you have ascertained that the TLS certificate chain is not in PEM format, then do the following steps to resolve this issue:

  1. Convert the TLS certificate chain to PEM format.
  2. Validate that the TLS certificate chain is valid.
  3. Remove the existing TLS certificate chain and the private key from the specific keystore.
  4. Upload the file containing the TLS certificate chain in PEM format and the file containing the private key to the keystore using a key alias in the Edge UI or the Management API.
  5. Configure the keystore, alias, and domain name in the integrated developer portal: Publish > Portals > Developer Portal > Settings > Domains.
  6. Click Save.

Cause: TLS certificate and key were provided in single file

Diagnosis

  1. Verify that the given TLS certificate chain contains both the certificates and the private key in the same file uploaded to the keystore.
  2. View the original source file in a text editor on your system that you used to upload the TLS certificate chain and private key to the Apigee keystore.
  3. If the file contains both the TLS certificates and the private key, then each TLS certificate in the certificate chain begins with the following line:

    -----BEGIN CERTIFICATE-----

    and ends with the following line:

    -----END CERTIFICATE-----

    The TLS certificates are followed by the private key which begins with the following line:

    -----BEGIN RSA PRIVATE KEY-----

    and ends with the the following line:

    -----END RSA PRIVATE KEY-----

    as the following example shows:

    -----BEGIN CERTIFICATE-----
    CzAJBgNVBAYTAkJCMQswCQYDVQQIDAJCQjELMAkGA1UEBwwCQkIxDzANBgNVBAoM
    BkJCIEx0ZDELMAkGA1UECwwCQkIxEDAOBgNVBAMMB2Zvby5vcmcxGjAYBgkqhkiG
    9w0BCQEWC2FiY0Bmb28ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
    AQEA8IN15+8HrfeSVf4NIj7mM4jjms89EUX4HKrey+lm1+ljv3OGw+NK7BCHvoV3
    vZ+KXMHTtFeeFd1NgQZnDdbmuD0jTvvF7YoC/h6bLPytJquQJZykm9DyszsmACI8
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIDbjCCAlYCCQCrcuwFhXCcujANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJB
    QTELMAkGA1UECAwCQUExCzAJBgNVBAcMAkFBMQ8wDQYDVQQKDAZBQSBMdGQxCzA
    BgNVBAsMAkFBMRMwEQYDVQQDDApjYS5mb28ub3JnMR0wGwYJKoZIhvcNAQkBFg5h
    YmNAY2EuZm9vLm9yZzAeFw0xOTEwMDQwNTA0MzVaFw0yOTEwMDEwNTA0MzVaMHk
    CzAJBgNVBAYTAkFBMQswCQYDVQQIDAJBQTELMAkGA1UEBwwCQUExDzANBgNVBAo
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    YcJpTL5yNyQE3NIXPGCiTrrSEBSX5X9ae8C/URlyWPbJ3jBE7GH4u6id5qEcgx6I
    /6QHDyPIhFcwfdU3nZbzZfwCYfH9SI5hQPscfGTotNxZxDwNIzuqqrIhari4e6lc
    mlEa/CDzOzvdYTX7RT1MmBY9US8JY5xhUKk0gQbhCfB7TcpvySldTbiUGQVn8h62
    /fJDhNQlzV7Maogc7te9DWW/HhYfGTFKOwIDAQABMA0GCSqGSIb3DQEBCwUAA4IB
    AQAT/5FCiKJ/Pv62bl+GYuuc0gXXeumW2205dN5cXBAVZ3kRqHjR9tMCx3u+F2Td
    ...
    -----END CERTIFICATE-----
    -----BEGIN RSA PRIVATE KEY-----
    MIIEowIBAAKCAQEA8IN15+8HrfeSVf4NIj7mM4jjms89EUX4HKrey+lm1+ljv3OG
    w+NK7BCHvoV3vZ+KXMHTtFeeFd1NgQZnDdbmuD0jTvvF7YoC/h6bLPytJquQJZyk
    m9DyszsmACI8hK4azrd7zZqTETVZN+mxOiYBfa1E1pE8v/bdIqnLTICmFbIQ2PVF
    zc0anobltRRI4/OcRb7QPQUk+dBxU7XyyAhcACROwaeT8yqksnYNANBcnMiS5qH+
    sucJFNJ9bGIuWIwhsYVxzrANe9ttVvie38Cj6Go+UiIzF3VAyRkIE7MvW9Qc5m0O
    ...
    -----END RSA PRIVATE KEY-----
  4. If you ascertain that the TLS certificate chain and private key were all combined in a single file and uploaded to the keystore, then that is the cause for virtual host creation to fail in the integrated developer portal. As a result, the above error message is displayed to the user on the custom domain configuration page on the Edge UI.

Resolution

If the TLS certificate PEM file contained both the TLS certificates and the private key, then do the following steps to resolve the issue:

  1. Move the private key from the TLS certificate PEM file and to a separate key file.
  2. Remove the existing TLS certificate from the specific keystore.
  3. Verify that the TLS certificate chain is in PEM format.
  4. If it is not, convert the TLS certificate chain to PEM format.
  5. Validate that the TLS certificate chain is valid.
  6. Upload the file containing the TLS certificate chain converted to PEM format and the file containing the private key to the keystore using a key alias in the Edge UI or the Management API.
  7. Configure the keystore, alias, and domain name in the integrated developer portal: Publish > Portals > Developer Portal > Settings > Domains.
  8. Click Save.

If the problem still persists, go to Must gather diagnostic information.

Must gather diagnostic information

If the problem persists after following the above instructions, gather the following diagnostic information and and share them with Apigee Support:

  • Apigee Edge Cloud organization name
  • Apigee Edge Cloud integrated developer portal name
  • Name of the keystore created in the portal environment
  • Alias name
  • Custom domain name
  • A screenshot of the custom domain configuration page capturing the error message
  •