IC5Notice: We have upgraded developerWorks Community to the latest version of IBM Connections. For more information, read our upgrade FAQ.
Topic
  • 5 replies
  • Latest Post - ‏2012-11-12T03:49:59Z by SystemAdmin
SystemAdmin
SystemAdmin
3908 Posts

Pinned topic SSL0227E: SSL Handshake Failed, Specified label could not be found ...

‏2012-11-01T14:36:25Z |
I'm trying to get SSL working on IBM HTTP Server v 7.0.0.21

I created a new KDB and stashed the PW. The company I'm dealing with has their own Certificate Authority, so I created the personal certificate request using ikeyman, sent them the request, and they sent back the new root certificate.

I created the signer certificate using the certificate that was sent to me by the Certificate Authority, setup the httpd.conf file how I've done in previous SSL configurations, and recycled the HTTP Server.

I cannot access any secure urls. I tried to hit the HTTP server over port 443 directly and I get Page cannot be displayed.

When I looked in the error_log I saw this:

Thu Nov 01 10:31:19 2012 crit http://client 10.3.48.216 81a3ce8 22667 SSL0227E: SSL Handshake Failed, Specified label could not be found in the key file.

I checked and made sure the label was in proper format / not using any reserved characters and it's fine.

Any ideas?

Thanks in advance.
Updated on 2012-11-12T03:49:59Z at 2012-11-12T03:49:59Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: SSL0227E: SSL Handshake Failed, Specified label could not be found ...

    ‏2012-11-01T16:08:03Z  
    I once saw a cert label with trailing spaces -- hard to spot it w/o gsk7capicmd -cert -list sent to a file and looking carefully.
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: SSL0227E: SSL Handshake Failed, Specified label could not be found ...

    ‏2012-11-01T18:20:14Z  
    I once saw a cert label with trailing spaces -- hard to spot it w/o gsk7capicmd -cert -list sent to a file and looking carefully.
    Just deleted the signer cert and re-added it making sure there were no spaces, trailing spaces, or reserved characters, and still getting the SSL0227E error
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: SSL0227E: SSL Handshake Failed, Specified label could not be found ...

    ‏2012-11-01T19:16:33Z  
    Just deleted the signer cert and re-added it making sure there were no spaces, trailing spaces, or reserved characters, and still getting the SSL0227E error
    "specified label not found" implies the label specified with SSLServerCert is not found. A personal cert, not a signer.
  • Sunit
    Sunit
    194 Posts

    Re: SSL0227E: SSL Handshake Failed, Specified label could not be found ...

    ‏2012-11-05T14:17:49Z  
    If your company uses its own CA then this the way you should create the certificate:

    After you create the kdb and stash the password:

    1. Go to the Personal Certificates and create a certificate request.
    2. Export the request and send it to the CA (in your case your company CA).
    3. CA will sign and return you the certificate.
    4. Display the returned certificate using windows and check the signing chain.
    5. Export each certificate in the signing chain except your own to a file
    6. Add each of the certificate from the chain starting with Root in trusted certificates in your kdb
    7. Go to the personal certificates tab in your kdb and use the 'Receive" button to receive the signed certificate.
    8. In your httpd.conf file point to the signed personal certificate.
    9. Restart IHS

    • Sunit
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: SSL0227E: SSL Handshake Failed, Specified label could not be found ...

    ‏2012-11-12T03:49:59Z  
    Just try these 2 things.

    1) Comment SSLServerCert in httpd.conf
    2) Make sure you have only one personal certificate in KDB, set that certificate as default (this is very important as when you comment SSLServerCert in httpd.conf it will look for the default certificate, it will usually show an asterisk in front of personal certificate name when you open the kdb).

    Hope that quickly solves your problem.