Topic
  • 8 replies
  • Latest Post - ‏2014-06-10T02:17:59Z by ommaha
karpovmq
karpovmq
7 Posts

Pinned topic Getting this error: SSL3_GET_SERVER_CERTIFICATE certificate verify failed

‏2013-08-17T15:04:20Z |

We have IBM Sterling Connect Direct 4.2 on Windows 2003 Server, everything is working fine, even the SSL Configuration, we exchange files properly. Now, I have migrated all the configuration to a Windows Server 2008 cluster environment. Everything it's ok... I have configured the IBM Sterling Connect Direct 4.6.0.1 -even the SSL Configuration, we just have made a copy/paste of the certificates, keycerts and trusted files-. Everything it's ok and we are able to receive files under a SSL session. But... there is an exception.. The problem we are facing is when we try to send files to our partners we get this error:


Message ID: CSPA311E
SSL Certificate verification failed, reason= self certificate in certificate chain:

Followed by this error:


Message ID: CSPA309E
SSL3_GET_SERVER_CERTIFICATE certificate verify failed:

We are using exactly the same configuration, except by the IP and server name, that have changed. The certificates in any way are linked to the server name or the IP?

 

Old Sterling Connect Direct: 4.2

New Sterling Connect Direct: 4.6.0.1

 

Any hint on this issue is very appreciated.

  • VolkerFriedrich
    VolkerFriedrich
    181 Posts
    ACCEPTED ANSWER

    Re: Getting this error: SSL3_GET_SERVER_CERTIFICATE certificate verify failed

    ‏2013-09-17T12:15:16Z  
    • karpovmq
    • ‏2013-09-04T14:47:37Z
    Volker,
     
    Please correct me if I'm wrong. We use a self signed certificate (created with the Certificate Wizard). Since we are able to receive files under a SSL session, but not to send files, the issue here is with our partner certificate, we are missing some of their information, this new version of Connect Direct requires more information from our partner, since the previous environment were working fine with our certificate in their trusted store and their certificate in our trusted file. If we regenerate a certificate should it solve the problem? Or they just have to give us more information than which they are providing now (a certificate, as mention above). Does it make sense for you?
     
    Thanks!!

     

    When you are the PNODE:
    Your local C:D node will verify the partner's certificate it receives during the SSL handshake. For this verification to be successful, your local Secure+ configuration needs to have the full chain of trusted certificates up to the CA root from your partner.

    Make sure you have all the required information from your partner and have configured it in the correct place.

    Obviously, you regenerating a new certificate would not solve this issue.

  • VolkerFriedrich
    VolkerFriedrich
    181 Posts

    Re: Getting this error: SSL3_GET_SERVER_CERTIFICATE certificate verify failed

    ‏2013-08-30T13:32:57Z  

    The underlying SSL Toolkit changed between versions 4.2.00 and 4.6.0. The later one now requires the full chain of trusted root certificates to verify your partner's certificate. Make sure you added all intermediate certificates.

    Have a look at Technote 1558783 (even it is for different platforms):
    Transfer using SSL fails with messages related certificate.

  • karpovmq
    karpovmq
    7 Posts

    Re: Getting this error: SSL3_GET_SERVER_CERTIFICATE certificate verify failed

    ‏2013-09-04T01:30:41Z  

    The underlying SSL Toolkit changed between versions 4.2.00 and 4.6.0. The later one now requires the full chain of trusted root certificates to verify your partner's certificate. Make sure you added all intermediate certificates.

    Have a look at Technote 1558783 (even it is for different platforms):
    Transfer using SSL fails with messages related certificate.

    Thanks Volker,
     
    Now what we receive from our partner is a certificate of this kind:
     
    -----BEGIN CERTIFICATE-----
    ......
    -----END CERTIFICATE-----
     
    We attach it to our trusted and that's all.
     
    Should they send us additional information? I'm not very literate about SSL (I'm sorry about that). So, we should ask them for their intermediate certificates? they are similar to the described above?
     
    Thanks in advance, we really appreciate your help.
  • VolkerFriedrich
    VolkerFriedrich
    181 Posts

    Re: Getting this error: SSL3_GET_SERVER_CERTIFICATE certificate verify failed

    ‏2013-09-04T08:00:28Z  
    • karpovmq
    • ‏2013-09-04T01:30:41Z
    Thanks Volker,
     
    Now what we receive from our partner is a certificate of this kind:
     
    -----BEGIN CERTIFICATE-----
    ......
    -----END CERTIFICATE-----
     
    We attach it to our trusted and that's all.
     
    Should they send us additional information? I'm not very literate about SSL (I'm sorry about that). So, we should ask them for their intermediate certificates? they are similar to the described above?
     
    Thanks in advance, we really appreciate your help.

    The certificate encoding is the same as described above and won't tell. You will need to view the certificate to see what it is about, for example look at issuer, subject and key usage.

    There are several ways to view a certificate:
    - Click the View Certificates button in the CD Secure+ Admin Tool.
    - Put just the certificate in a text file and save it with a .cer extension. Then double-click the file to open it in the Windows Certificate Viewer.

    Yes, you should ask for the complete chain of (possible) intermediate and CA root certificates.

  • karpovmq
    karpovmq
    7 Posts

    Re: Getting this error: SSL3_GET_SERVER_CERTIFICATE certificate verify failed

    ‏2013-09-04T14:47:37Z  

    The certificate encoding is the same as described above and won't tell. You will need to view the certificate to see what it is about, for example look at issuer, subject and key usage.

    There are several ways to view a certificate:
    - Click the View Certificates button in the CD Secure+ Admin Tool.
    - Put just the certificate in a text file and save it with a .cer extension. Then double-click the file to open it in the Windows Certificate Viewer.

    Yes, you should ask for the complete chain of (possible) intermediate and CA root certificates.

    Volker,
     
    Please correct me if I'm wrong. We use a self signed certificate (created with the Certificate Wizard). Since we are able to receive files under a SSL session, but not to send files, the issue here is with our partner certificate, we are missing some of their information, this new version of Connect Direct requires more information from our partner, since the previous environment were working fine with our certificate in their trusted store and their certificate in our trusted file. If we regenerate a certificate should it solve the problem? Or they just have to give us more information than which they are providing now (a certificate, as mention above). Does it make sense for you?
     
    Thanks!!

     

  • VolkerFriedrich
    VolkerFriedrich
    181 Posts

    Re: Getting this error: SSL3_GET_SERVER_CERTIFICATE certificate verify failed

    ‏2013-09-17T12:15:16Z  
    • karpovmq
    • ‏2013-09-04T14:47:37Z
    Volker,
     
    Please correct me if I'm wrong. We use a self signed certificate (created with the Certificate Wizard). Since we are able to receive files under a SSL session, but not to send files, the issue here is with our partner certificate, we are missing some of their information, this new version of Connect Direct requires more information from our partner, since the previous environment were working fine with our certificate in their trusted store and their certificate in our trusted file. If we regenerate a certificate should it solve the problem? Or they just have to give us more information than which they are providing now (a certificate, as mention above). Does it make sense for you?
     
    Thanks!!

     

    When you are the PNODE:
    Your local C:D node will verify the partner's certificate it receives during the SSL handshake. For this verification to be successful, your local Secure+ configuration needs to have the full chain of trusted certificates up to the CA root from your partner.

    Make sure you have all the required information from your partner and have configured it in the correct place.

    Obviously, you regenerating a new certificate would not solve this issue.

  • ommaha
    ommaha
    3 Posts

    Re: Getting this error: SSL3_GET_SERVER_CERTIFICATE certificate verify failed

    ‏2014-05-30T09:15:37Z  

    When you are the PNODE:
    Your local C:D node will verify the partner's certificate it receives during the SSL handshake. For this verification to be successful, your local Secure+ configuration needs to have the full chain of trusted certificates up to the CA root from your partner.

    Make sure you have all the required information from your partner and have configured it in the correct place.

    Obviously, you regenerating a new certificate would not solve this issue.

    Hi ,

    I am also facing the same issue that i can't able to send /recieve files from One side . the otherside they can able to push/pull the files from snode.

    When i initiate the session ,it's consider as a Pnode that time i couldn't able to do push/pull the files

    error "SSL3_GET_SERVER_CERTIFICATE - SSL 48"

    Pnode using CA certificate;Snode using self sign certificate.

     

    Any hint on this issue.

  • VolkerFriedrich
    VolkerFriedrich
    181 Posts

    Re: Getting this error: SSL3_GET_SERVER_CERTIFICATE certificate verify failed

    ‏2014-05-30T18:37:53Z  
    • ommaha
    • ‏2014-05-30T09:15:37Z

    Hi ,

    I am also facing the same issue that i can't able to send /recieve files from One side . the otherside they can able to push/pull the files from snode.

    When i initiate the session ,it's consider as a Pnode that time i couldn't able to do push/pull the files

    error "SSL3_GET_SERVER_CERTIFICATE - SSL 48"

    Pnode using CA certificate;Snode using self sign certificate.

     

    Any hint on this issue.

    Did you exchange trusted root certificates between the nodes?

    If the remote snode is using a self signed certificate, then you need to add this on the pnode side as the trusted root certificate for the snode entry.

  • ommaha
    ommaha
    3 Posts

    Re: Getting this error: SSL3_GET_SERVER_CERTIFICATE certificate verify failed

    ‏2014-06-10T02:17:59Z  

    Did you exchange trusted root certificates between the nodes?

    If the remote snode is using a self signed certificate, then you need to add this on the pnode side as the trusted root certificate for the snode entry.

    Hi,

    Thanks for your reply.

    Yes i put the self signed certificate into trusted root certificate field in secure+ admin .

    Anything else have to do from my side.

    Thanks

    Maha