CODEWITHSUNDEEP
ssl
brokermq
brokermq

Reputation: 87

Getting this error: SSL3_GET_SERVER_CERTIFICATE certificate verify failed

We have IBM Sterling Connect Direct 4.2 on Windows 2003 Server, everything is working fine, even the SSL Configuration, we exchange files properly. Now, I have migrated all the configuration to a Windows Server 2008 cluster environment. Everything it's ok... I have configured the IBM Sterling Connect Direct 4.6.0.1 -even the SSL Configuration, we just have made a copy/paste of the certificates, keycerts and trusted files-. Everything it's ok and we are able to receive files under a SSL session. But... there is an exception.. The problem we are facing is when we try to send files to our partners we get this error:

Message ID: CSPA311E
SSL Certificate verification failed, reason= self certificate in certificate chain:

Followed by this error:

Message ID: CSPA309E
SSL3_GET_SERVER_CERTIFICATE certificate verify failed:

We are using exactly the same configuration, except by the IP and server name, that have changed. The certificates in any way are linked to the server name or the IP?

Any hint on this issue is very appreciated.

Upvotes: 1

Views: 10438

Answers (1)

My-Name-Is
My-Name-Is

Reputation: 4942

A certificate is issued for a specific domain name or IP address. I'm pretty sure that this is the reason for your error. You can check this with keytool.exe which is shipped with a JRE or JDK installation and is located in the /bin directory. So issue the following from your command line: 

keytool.exe -printcert -file C:\path\to\your\file.crt

This will give an output like: enter image description here

In the second line there you can see: Owner: CN=localhost, ... which means that this certificate is issued for localhost.

If this CN entry differs from new the IP address or domain name, you have two possibilities.

  1. Crate a new certificate which is issued for that specific IP or domain. You can use the java keytool.exe again.
  2. You need to update your client application which checks the validity of the certificate. Thereby you need to tell the client to don't check the certs CN name against the real IP address or damain name of the remote server. (Not recommended because of security reasons.)

Upvotes: 2

Related Questions