API Import Fails: Cert Fetch from Unreachable Backend

[denache19]

APIM-CLI version

1.14.10

API-Management version

7.7.0.20240430

Question

Issue: API Import Fails Due to Certificate Fetching from Unreachable backendBasepath in API Manager

We're encountering issues with the API import process using apim-cli where the command fails due to certificate fetching behavior when the backendBasepath is unreachable.

This issue block API developers to deploy APIs.

Environment Details:
Tool: apim-cli-1.14.10 tool integrated into our CI/CD pipeline
Axway API Manager: Running in OpenShift
OpenShift Network Policies: Egress policy is enforced to restrict outbound traffic

Precondition:

DNS server is able to resolve FQDN, but backend is unreachable due to:

• Egress network policy
• Firewall rules
• Intermittent connectivity during import

Command Used:

./apim.sh api import
-username apiadmin
-password *****
-apimanagerUrl https://apimanager
-c /tmp/apiclli-import/api-config.yaml
-overrideSpecBasePath true
-clientOrgsMode replace
-returnCodeMapping 10:0
-force

Problem:

During the apim-cli step, POST to /api/portal/v1.4/proxies, API Manager attempts to auto-fetch certificates from the domain specified in the backendBasepath. This causes import to fail if the backend is unreachable over HTTPS.

Behavior varies based on the protocol and domain specified in backendBasepath:

1. HTTPS with a reachable domain, but blocked by Egress Network Policy or Firewall rule

• Example: https://petstore.swagger.io/api/petstore
• ❌ API Manager logs the following error:
  ERROR 24/Apr/2025:15:56:42.065 [...] Failed to import certificates during API virtualization: Error reading certificates. Connect to petstore.swagger.io:443 [petstore.swagger.io/3.210.50.158, petstore.swagger.io/34.230.189.251] failed: connect timed out

2. HTTPS with an unknown/unresolvable domain

• Example: https://petstore.swagger.io/api/petstore

• ⚠️ API Manager logs:
  ERROR 24/Apr/2025:14:26:11.159 [...] Failed to import certificates during API virtualization: Error reading certificates. bojan-petstore.swagger.io: Name or service not known

• In this case, despite these certificate-related errors, the import process still completes successfully—but with warnings in the API Manager - as seen in API Manager GUI (See the picture)

3. HTTP (No TLS)

• Example: http://petstore.swagger.io:80/api/petstore
• ✅ No issues occur.

Disabling the two options under "API Manager settings" → "API Import" —
• "Strict certificate checking"
• "Server certificate verification"
— did not change the outcome.

Question) Can you confirm if there is a way to disable certificate fetching during the import process within apim-cli as from the API Manager settings it didn't worked ?

api-import.txt

[rathnapandi]

Hi @denache19,

It is not possible as API manager internally fetches certificates. to workaround increase the cli timeout value and manage certificates via cli config. So that CLI will receive a failure from API manager REST API and use the certificates from config file.