Certificate Chain or Paths
I want to validate a certificate chain. I decided to use CertPathValidator, the problem is that, I have root or trusted certificates in a collection as follows
Collection CACert = cf.generateCertificates(is);
Now the PKIXParameters constructor takes these certificates as Set of TrustAnchors.
PKIXParameters params = new PKIXParameters(set of TrucAnchors);
I don�t know how to convert the collection of certificates to a Set fo TrustAnchors. I can not used the other constructor of PKIXParameters, which takes the KeySotre cause I have all Root Certificates stored in a different format in my MHP application.
Can any one help me out�.
Hummm let me make sure I understand what your saying. It sounds as if you want
to find a portable way of using this particular class. A way that will work
regardless of what JCE provider is installed on the machine running your code?
If that is correct then unfortunately your SOL. The problem is that there is no
public code (interfaces or other) which are defined in the standard Java API
to define this type of class. As a result no matter what you try and do you are
going to have to hard code some class like the boucycastle class.
My recommendation to you would be to include the bouncycastle ASN package with
your code. They do not have to use the BouncyCastle JCE provider but the bouncy
castle code must be in their class path...
Of course you could write your own ASN/DER package and include that instead but
you'll probably find it easier to just include the BC code base in your
distribution. If that distribution is webstart or applet then maybe you trim it
down in size by just including the ASN package and classes that are required by it.
Similar Messages
-
PEM or DER Format certificate chain
I have installe an ISE 1.2.0.899. It is used for Guest Services only, the customer require all its employees be able to access the sponsor portal and validated their credentials using LDAPS. Not LDAP, not AD feature in ISE. The problem is because in order to enable LDAPS I must upload to ISE the root CA certificate, the customer is not providing the root CA certificate for security reasons (?); they said the certificate chain should be enough. Even the ISE user guide indicates root CA or certificate chain. So, the customer downloaded the certificate chain from its PKI (Microsoft 2008) and give it to me, but it is in .p7b (PKCS#7) format (they said there is no choice to select another format). This format is not supported by ISE, so I needed to use third party tools to convert the file (www.sslshopper.com and openssl). It appears the convertion is successfull but when I try to upload on ISE Certificate Store always I get the same errror: "Unable to read certificate file - please be sure file is in PEM or DER format".
So the questions are:
1. Is the file provided by the PKI in p7b format always?
2. What should be the most proper way to convert the file to something the ISE can understand?
3. Should be the root CA certificate a vey best option?
Even the conversion problems indicated above, I tried to open and convert the file using the mmc. I know the certificate chain has three files, I recovered them and uploaded to ISE. Whit two of these three files selected on LDAPS security configuration I can run the "Test bind to Server" successfully but everytime an user try with its own credentials always the access is denied with "invalid username or password" error.
Locking in the ISE log I found this messages:
ERROR,0x2b263618c940,LdapSslConnectionContext::checkCryptoResult(id = 634): error message = SSL alert: code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error unable to get issuer certificate locally",LdapSslConnectionContext.cpp:226
ERROR,0x2b263618c940,LdapConnectionBindingState::onInput(id = 634): bind ended with an error: 117,LdapConnectionStates.cpp:396
631,WARN ,0x2b263618c940,NIL-CONTEXT,Crypto::Result=1, Crypto.SSLConnection.pvClientInfoCB - Alert raised: code=0x230=560, where=0x4008=16392, source=local,SSLConnection.cpp:2765
WARN ,0x2b263618c940,NIL-CONTEXT,Crypto::Result=102, Crypto.SSLConnection.writeData - failed write the data,SSLConnection.cpp:970
ERROR,0x2b263618c940,LdapSslConnectionContext::checkCryptoResult(id = 634): crypto result = 102,LdapSslConnectionContext.cpp:202
ERROR,0x2b263618c940,cntx=0000005789,user=tmxedscalcan,LdapServer::onAcquireConnectionResponse: failed to acquire connection,LdapServer.cpp:461
ERROR,0x2b263436e940,NIL-CONTEXT,[ActiveDirectoryClient::openCdcConnection] Can't open CDC session due to error 32: ADClient is not running,ActiveDirectoryClient.cpp:1328
ERROR,0x2b263436e940,NIL-CONTEXT,[ActiveDirectoryClient::connectClient] AD CDC client connection failed!,ActiveDirectoryClient.cpp:117
ERROR,0x2b263436e940,NIL-CONTEXT,ActiveDirectoryIDStore::performConnection - Connecting client failed,ActiveDirectoryIDStore.cpp:608
I don't have idea what do they mean.
Someone told me the convertion made with mmc on my pc was an error and I need to repeat the same process using administrative tools on a server
I'm really confused and I don't know how continue with a troubleshoot process.
How can I know the original file is correct?
How can I know the conversion is correct?
As the original chain includes three certificates, I should upload them to ISE separately or as one file?
Attached is the Sponsor policy screenshoot. I have two rules with the same conditions one por AD (just for test), one for LDAPS.
I will appreciate your help
Regards.
Daniel EscalanteHi,
If you open the .p7b file on a Windows machine. (Open not install)
Go to the Certification Path and click on the root certificate, click View Certificate.
Now you have the root certificate.
Go to Details and click Copy to File. This give you the option to exprot the root cert.
Click next, here you can select to save as Base-64 encoded (DER) that you can import in ISE.
Click next and save. Then try to import under Server certifiactes on ISE
You can do this for sub-CA cert in the chain as well.
HTH -
The verification of the server's certificate chain failed
Hi All,
Not sure this is the right forum for this but never mind.
I am trying to get abap2GApps working and am having problems with the client certificates.
I am getting the below error in ICM :-
[Thr 06] Mon Jul 30 09:34:47 2012
[Thr 06] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 06] session uses PSE file "/usr/sap/BWD/DVEBMGS58/sec/SAPSSLC.pse"
[Thr 06] SecudeSSL_SessionStart: SSL_connect() failed
secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
[Thr 06] >> Begin of Secude-SSL Errorstack >>
[Thr 06] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : "OU=Equifax Secure Certificate Authority, O=E
ERROR in get_path: (24/0x0018) Can't get path because the chain of certificates is incomplete
[Thr 06] << End of Secude-SSL Errorstack
[Thr 06] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 06] SSL NI-sock: local=172.30.7.170:59036 peer=172.30.8.100:80
[Thr 06] <<- ERROR: SapSSLSessionStart(sssl_hdl=60000000053910f0)==SSSLERR_SSL_CONNECT
[Thr 06] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {000726d5} [icxxconn_mt.c 2031]
Having already got the accounts.google.com SSL certificate chain installed and working I can't get the docs.google.com SSL chain working.
For accounts.google.com they use (this set works) :-
1) CN=accounts.google.com, O=Google Inc, L=Mountain View, SP=California, C=US
2) CN=Thawte SGC CA, O=Thawte Consulting (Pty) Ltd., C=ZA
3) OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
For docs.google.com they use a different set of SSL certs. :-
1) CN=*.google.com, O=Google Inc, L=Mountain View, SP=California, C=US
2) CN=Google Internet Authority, O=Google Inc, C=US
3) OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Can anyone explain what I am doing wrong or how to correct this?
Thanks
CraigFurther UPDATE
After removing every certificate related to docs.google.com I still get the same error!
I have even tried downloading the root certificate directly from GeoTrust themselves and yet I still get the same error.
I have even resorted to running SAP program ZSSF_TEST_PSE from note 800240 to check the PSE and all is well!
Referring to SAP Note 1318906 suggests I am missing a certificate in the chain but I am not!
"Situation: The ICM is in the client role and the following entry is displayed in the trace:
ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
Reason:You try to set up a secure connection to a server, but the validity of the certificate cannot be verified because the required certificates are not available.
Solution:The missing certificates are listed in the trace file. You must use transaction STRUST to insert these certificates in the Personal Security Environment (PSE) that is used for the connection. The certificates are usually made available to you by the server administrator. If the certificates are public Certification Authority (CA) certificates, you can also request the certificates there."
What could possibly causing this?
Please help!
Craig -
SunPKCS11's keystore requirements (fails to build certificate chain)
According to http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#KeyStoreRestrictions in order to build a certificate chain, SunPKCS11 performs the following to match certificates:
From the end entity certificate, a call fo C_FindObjectsInit is made with a search template that includes the following attributes:
CKA_TOKEN = true
CKA_CLASS = CKO_CERTIFICATE
CKA_SUBJECT = [DN of certificate issuer]
This matching fails for an etoken (opensc/pkcs15, key and certs stored with keytool -importkeystore from jks) containing the following objects, where the issuer's DN is CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Private RSA Key [Private Key]
Com. Flags : 3
Usage : [0x4], sign
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 16
Native : yes
Path : 3f005015
Auth ID : 01
ID : 612d736974
X.509 Certificate [a-sit]
Flags : 2
Authority: no
Path : 3f0050153178
ID : 612d736974
X.509 Certificate [Certificate]
Flags : 2
Authority: no
Path : 3f005015313a
ID : 636e3d766572697369676e20636c617373203320636f6465207369676e696e6720323030342063612c6f753d7465726d73206f66207573652061742068747470733a2f2f7777772e766572697369676e2e636f6d2f7270612028632930342c6f753d766572697369676e207472757374206e6574776f726b2c6f3d76657269
The end entity certificate is successfully matched to the key:
Version: V3
Subject: CN=Zentrum fuer sichere Informationstechnologie - Austria (A-SIT), OU=Digital ID Class 3 - Java Object Signing, O=Zentrum fuer sichere Informationstechnologie - Austria (A-SIT), L=Vienna, ST=Vienna, C=AT
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 113647510668539930848910584051009146136267080950854001463338500293556842878352765608061940674763417364058781591049348918719586172693823356224986624474642218762804163195838659801763621964100792207693593891254043592410389875992114868414436934974159621776873147367719845947683002652939166210516092495059090352681
public exponent: 65537
Validity: [From: Thu Nov 20 01:00:00 CET 2008,
To: Mon Nov 21 00:59:59 CET 2011]
Issuer: CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
SerialNumber: [ 17e26e45 7f8659ef e6cf3ef5 52fa1224]
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.verisign.com, accessMethod: 1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 08 F5 51 E8 FB FE 3D 3D 64 36 7C 68 CF 5B 78 A8 ..Q...==d6.h.[x.
0010: DF B9 C5 37 ...7
[3]: ObjectId: 1.3.6.1.4.1.311.2.1.27 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 08 30 06 01 01 00 01 01 FF ..0.......
[4]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve
0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 72 70 61 risign.com/rpa
[5]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
Object Signing
[6]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
codeSigning
[8]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://CSC3-2004-crl.verisign.com/CSC3-2004.crl]
[9]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Algorithm: [SHA1withRSA]
Signature:
0000: 93 57 89 4A 4E 63 16 29 73 92 F1 D3 C7 B3 3C 87 .W.JNc.)s.....<.
0010: C9 FB 22 52 DD DD 59 AB 3A 63 E3 65 8E 34 D4 C3 .."R..Y.:c.e.4..
0020: 4E A0 6D 8E BB 89 DD 97 CE 63 2C 9F 43 CF 1F 55 N.m......c,.C..U
0030: 39 74 32 5E 75 93 91 57 A3 63 F7 AD F3 5D 6F C7 9t2^u..W.c...]o.
0040: D7 CB A7 8B 79 43 C6 00 2E C8 AD E1 D5 A7 95 97 ....yC..........
0050: 21 AD 9E 7E 58 05 A0 80 5D 27 0E FA B6 6E 41 58 !...X...]'...nAX
0060: 68 34 25 F7 EB CE 17 62 CE 48 A0 32 2B 79 50 14 h4%....b.H.2+yP.
0070: E0 A0 1E 69 35 66 51 D7 E0 C7 BA BF 6B E4 9A B4 ...i5fQ.....k...
0080: 22 36 C9 D2 E9 20 4D 10 8F 82 28 CE 3C 2C 8D 3C "6... M...(.<,.<
0090: 51 73 AA EF 30 01 8A 3C CF A8 4F 25 60 DF 59 95 Qs..0..<..O%`.Y.
00A0: EC 12 D8 1F 40 8A 13 AD E8 D5 D9 31 8C 3E CE C5 [email protected].>..
00B0: 78 C8 C3 BA 33 07 54 78 93 B0 3E 2F 26 C8 83 64 x...3.Tx..>/&..d
00C0: 78 B8 67 59 A2 7E 74 97 D9 DE 5C D9 E9 CC 83 8D x.gY..t...\.....
00D0: A3 E4 11 7C E4 03 E2 01 6C EA 11 AB 13 37 A6 7D ........l....7..
00E0: 12 CE 21 2F 62 5D 15 A1 CB 4D 31 1A CC CE A2 9D ..!/b]...M1.....
00F0: 3C B2 D2 6C 53 D4 5C 9B B4 D4 72 E8 03 D0 A8 4E <..lS.\...r....N
]KeyStore ks = KeyStore.getInstance("JKS");What's that for?
ks.load(null,null);It's empty.
X509Certificate cert1 = (X509Certificate)cf.generateCertificate(inStream);So here you have an X509Certificate in 'cert1'.
ks.setCertificateEntry("root", cert1);So here you put it into the KeyStore.
X509Certificate rootCert = (X509Certificate)ks.getCertificate("root"); And here you get it out again.
Why? What's the difference between 'rootCert' and 'cert1'? -
Certificate chain: ValidateCertChain utility
When I run
java -cp weblogic.jar utils.ValidateCertChain -jks mykey mykeystore
to validate the Certificate Chain which is present in mykeystore , it return the following error (some information obfuscated):
Cert[0]: CN=XXXXXX,OU=YYY,O=ZZZ,L=WWW,ST=ZZ,C=PP
CA cert not marked with critical BasicConstraint indicating it is a CA
Cert[1]: E=[email protected],CN=XXXXXX,OU=YYY,O=ZZZ,L=WWW,ST=
RR,C=LL
Certificate chain is invalid
Cert[1] is the CA root (generated with openssl) certificate , cert[0] is the certificate generated by openssl (through a .csr file) using the CA root above.
The problem (if I understood correctly) is that Cert[0] has not the flag
BasicConstraints: CA=true
(the CA root certifies cert[0]; cert[0] is the certificate of the private key of the keystore: is it really an intermediary CA ??? It seems a quite strange ... )
Anyway, how can I re-generate cert[0] with that flag set ?Hummm let me make sure I understand what your saying. It sounds as if you want
to find a portable way of using this particular class. A way that will work
regardless of what JCE provider is installed on the machine running your code?
If that is correct then unfortunately your SOL. The problem is that there is no
public code (interfaces or other) which are defined in the standard Java API
to define this type of class. As a result no matter what you try and do you are
going to have to hard code some class like the boucycastle class.
My recommendation to you would be to include the bouncycastle ASN package with
your code. They do not have to use the BouncyCastle JCE provider but the bouncy
castle code must be in their class path...
Of course you could write your own ASN/DER package and include that instead but
you'll probably find it easier to just include the BC code base in your
distribution. If that distribution is webstart or applet then maybe you trim it
down in size by just including the ASN package and classes that are required by it. -
Certificate validation against multiple certificate chain
Hello everyone,
I would like to have your opinion on a specific use case of the java.security.cert API.
I've a set of trusted certificate chains provided in a trusted way by a CA. An example of a chain would be: R->I1->I2, R being a root certificate and I1/I2 being intermediates CAs.
I receive messages from some untrusted sources. These message are signed using some end-user certificate, let's call it U. The certificate U is only transmitted along the message (ie. it's not available from a trusted source).
Verifying the validity of the signed message is therefore a two step process:
- Check that the signature made by U is valid.
- Check that a valid certificate path could be build from U (querying a CRL if needed) back to a trusted anchor, such as R->I1->I2->U.
Now, my question is, how to efficiently achieve the latter one with the java.security.cert API?
The most straightforward way i've found so far to validate a certificate against a set of certificate chain is to use the CertPathBuilder interface:
1) I build a CertStore (of type "Collection") with all my trusted certificate chain in it.
2) I add the received U certificate to the store.
3) I try to build a certificate path specifying "U" as the target certificate in the search constraints (X509CertSelector).
If the algorithm find a valid path, it returns it, and U could possibly be kept in the store for future use.
If no valid path could be deduced, U is removed from the store, and a corresponding error is returned.
This sounds like a good way of doing ?
All suggestions are most welcome,
Thanks,
M. H.Ok, I think I've found my solution.
Actually, if you specify a target certificate using the X509CertSelector.setCertificate methode, the said certificate don't have to be in a CertStore in order to perform the validation:
// the 'store' variable contains only the trusted certificate chains.
CertStore store = CertStore.getInstance("Collection",
new CollectionCertStoreParameters(certCol));
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
X509CertSelector targetConstraints = new X509CertSelector();
targetConstraints.setCertificate(userCertificate);
PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, targetConstraints);
params.addCertStore(store);
/* params.setRevocationEnabled(false); */ // If needed.
PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) cpb.build(params);
CertPath path = result.getCertPath();This is it, on validation, the "path" variable will contains the complete certificate chain including the tested certificate.
I've still a problem with OCSP validations though, but i'll create a new topic for that...
Thank you for your time, ejp,
++
Edited by: marc_h on May 14, 2010 5:54 AM -
Error creating AIR file: Unable to build a valid certificate chain for the signer.
Hi, My boss got a certificate from Thawte, and I'm getting this error message when building my AIR app.
Error creating AIR file: Unable to build a valid certificate chain for the signer.
I'm on windows XP.
thanks,
steveTo manage your code signing certificate, please see
http://www.adobe.com/devnet/air/articles/signing_air_applications_print.html
The error you are seeing is typically caused by exporting a cert without the trust chain. On Windows, in IE, you can manage your keystore by going to
Internet Options > Content > Certificates
When you export the certificate needed for signing your app, be sure to check “Include all certificates in the certificate path, if possible”. -
Hello,
I have this issue regarding certificate chains while performing Outlook Anywhere connectivity test
by Microsoft Remote Connectivity Analyzer:
"ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled."
Note: even if I got the error, Outlook Anywhere and
ActiveSync services work fine.
Environment:
- Exchange 2007 with SP3
- Go Daddy Multiple Domains UCC certificate (up to 5 Subject Alternative Names)
I already read and followed instructions on this TechNet post
Can I safely ignore this warning about the SSL cert? Using GoDaddy UCC cert but it is a little bit different by this case.
So after an investigation I understand the issue above is related to SSL certificate
Certification Path (see screenshots below).
NO ERRORS on ExRCA checking
Go Daddy Secure Certification Authority is under Intermediate Certification Authorities
repository
Go Daddy Class 2 Certification Authority is under Intermediate Certification Authorities
repository
Starfield Technologies (http://www.valicert.com)
is under Trusted Root Certification Authorities repository
ERROR on ExRCA checking
Go Daddy Secure Certification Authority is under Intermediate Certification Authorities
repository
Go Daddy Class 2 Certification Authority is under Trusted Root Certification Authorities
repository
Can you add some useful information ?
I'm opening a support ticket at Go Daddy; I hope they could me some positive feedbacks.
Regards,
Luca Fabbri
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.Strange I have a feeling the exrca tool can't validate the godaddy class2 root authority due some older compability and wants to use the older original root authority valicert owned godaddy. Or when the exrca tool is validating the root CA it only has the
goaddy class2 root ca that was issued by valicert and not the standalone cert when doing the comparision. I sent the question to MS and will let you know when I hear back.
You can get rid of it
https://certs.godaddy.com/anonymous/repository.seam
Download the cert
◦gd_cross_intermediate.crt
Then import it into the trusted root cert authority on your CAS boxes. Then you need to delete the other godaddy class2 root authority. Make sure you see the one you imported both will be named goaddy class2 root authority but one will be issued by valicert.
Re-run the test and it will go away, I also saw the error with my domain as well using godaddy and got rid of it by using the new cert authority.
James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com -
Apache plugin for Weblogic not forwarding entire X509 certificate chain
I really hope there's someone out there that can help with this. I've spent all week trying various things to make this work.
SUMMARY
It doesn't appear that the Weblogic plugin (mod_wl_20.so) for Apache (2.0.49) sends the entire X509 certificate chain sent from a client to Weblogic (9.2).
DESCRIPTION
We have Apache set up to accept client certificates over SSL. This authentication process is successful. When viewing the weblogic plugin log, I can see the headers that are being sent to weblogic:
Thu Aug 9 11:34:20 2007 Hdrs from clnt:[Content-Type]=[text/xml; charset=utf-8]
Thu Aug 9 11:34:20 2007 Hdrs from clnt:[Accept]=[application/soap+xml, application/dime, multipart/related, text/*]
Thu Aug 9 11:34:20 2007 Hdrs from clnt:[User-Agent]=[Axis/1.2.1]
Thu Aug 9 11:34:20 2007 Hdrs from clnt:[Host]=[denwlsd1:4044]
Thu Aug 9 11:34:20 2007 Hdrs from clnt:[Cache-Control]=[no-cache]
Thu Aug 9 11:34:20 2007 Hdrs from clnt:[Pragma]=[no-cache]
Thu Aug 9 11:34:20 2007 Hdrs from clnt:[SOAPAction]=[""]
Thu Aug 9 11:34:20 2007 Hdrs from clnt:[Content-Length]=[1096]
Thu Aug 9 11:34:20 2007 URL::sendHeaders(): meth='POST' file='/ddm/services/CDAService' protocol='HTTP/1.0'
Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Content-Type]=[text/xml; charset=utf-8]
Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Accept]=[application/soap+xml, application/dime, multipart/related, text/*]
Thu Aug 9 11:34:20 2007 Hdrs to WLS:[User-Agent]=[Axis/1.2.1]
Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Host]=[denwlsd1:4044]
Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Cache-Control]=[no-cache]
Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Pragma]=[no-cache]
Thu Aug 9 11:34:20 2007 Hdrs to WLS:[SOAPAction]=[""]
Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Content-Length]=[1096]
Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Connection]=[Keep-Alive]
Thu Aug 9 11:34:20 2007 Hdrs to WLS:[WL-Proxy-SSL]=[true]
Thu Aug 9 11:34:20 2007 Hdrs to WLS:[WL-Proxy-Client-Cert]=[MIICwDCCAimgAwIBAgIIFJ5KyM1Zb4QwDQYJKoZIhvcNAQEFBQAwVDELMAk
GA1UEBhMCVVMxGzAZBgNVBAoTElRoZSBCb2VpbmcgQ29tcGFueTEoMCYG
A1UEAxMfQm9laW5nIEVGQiBTdGF0aWMgSWRlbnRpdHkgQ2VydDAeFw0wN
zA4MDQxNjUyMDBaFw0wODA4MDQxNjUyMDBaMDMxMTAvBgNVBAMeKAB
KAEMAVABBAEkATAAyAF8ASgBDAFQAQQBJAEwAMgBfAEwAZQBmAHQwgZ8
wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALusYsPzfKfsJ6a1xQxnytM5gWm
ycerisnrr7C3MThZcRhnwHG41AKHruK5IHltq0tOAG9/KzJLKoIhMGSfNy6gHUcHtFHREFDp
iiJRYKwuK79nMKZV0MSqHLJgrc7QGsjTsmf1/bthYv0PhGszQAQdXuo1gnrzqcugLJ91oW/
AgMBAAGjgbswgbgwHQYDVR0OBBYEFHjCZUI7DovghrErChgwg+073
+8iMAsGA1UdDwQEAwIDuDAJBgNVHRMEAjAAMH8GA1UdAQR4MHaAFN8c
DHRP0Y/y7+WkuYQV+Ye96FrcoVIwUDELMAkGA1UEBhMCVVMxGzAZBgNVBAoTElRoZSBCb2Vpb
mcgQ29tcGFueTESMBAGA1UECxMJQm9laW5nRUZCMRAwDgYDVQQDEwdC
RUdTU0NBggphAwVMAAAAAAAVMA0GCSqGSIb3DQEBBQUAA4GBAAGcJwN
VTL/JT1YzV0u/LJXReI21mWClLJXZyyTrJnLfdn3FyMDOcWMsdrgLkjhHSqvGHZ3p9cVKLlVAmR
mp7LVaHPaB5pIIoMcqU6SbjdPc5Vri1bNSr2xsdAQjjODQ7/
mLwvdm0Vmckh7mGu8TIiFPgs36XXbjX1Jlm4fQliqM]
Thu Aug 9 11:34:20 2007 Hdrs to WLS:[WL-Proxy-Client-Keysize]=[128]
Thu Aug 9 11:34:20 2007 Hdrs to WLS:[WL-Proxy-Client-Secretkeysize]=[128]
Thu Aug 9 11:34:20 2007 Hdrs to WLS:[WL-Proxy-Client-IP]=[169.143.117.159]
Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Proxy-Client-IP]=[169.143.117.159]
Thu Aug 9 11:34:20 2007 Hdrs to WLS:[X-Forwarded-For]=[169.143.117.159]
Thu Aug 9 11:34:20 2007 Hdrs to WLS:[X-WebLogic-Force-JVMID]=[unset]
Thu Aug 9 11:34:20 2007 Hdrs to WLS:[X-WebLogic-Request-ClusterInfo]=[true]
Thu Aug 9 11:34:20 2007 URL::parseHeaders: StatusLine set to [200 OK]
Thu Aug 9 11:34:20 2007 Hdrs from WLS:[Cache-Control]=[no-cache="set-cookie"]
Thu Aug 9 11:34:20 2007 Hdrs from WLS:[Connection]=[close]
Thu Aug 9 11:34:20 2007 Hdrs from WLS:[Date]=[Thu, 09 Aug 2007 17:34:20 GMT]
Thu Aug 9 11:34:20 2007 Hdrs from WLS:[Content-Type]=[text/xml; charset=utf-8]
Thu Aug 9 11:34:20 2007 Hdrs from WLS:[X-WebLogic-Cluster-List]=[-74568267!DENWLSD1!7711!7712]
Thu Aug 9 11:34:20 2007 Hdrs from WLS:[Set-Cookie]=[JSESSIONID=5DW3G7Qc7J4cj8lxmyB2TvWVLyNZsc1BvWSrNlD7WpHlhXh1pLkJ!-74568267!NONE; path=/]
Thu Aug 9 11:34:20 2007 Hdrs from WLS:[X-Powered-By]=[Servlet/2.4 JSP/2.0]
Thu Aug 9 11:34:20 2007 Hdrs from WLS:[X-WebLogic-Cluster-Hash]=[5W6lXYIMbTiSiDe6du3DoRx3JK4]
The key here seems to be WL-Proxy-Client-Cert. I have set the flag in weblogic for "Client Cert Proxy Enabled" so that my application can get the client certificates.
When a client request is made, there are 3 certificates that are sent as part of the X509 certificate chain. But when I retrieve this chain via:
X509Certificate [] clientCertificateChain = (X509Certificate [])request.getAttribute("javax.servlet.request.X509Certificate");
The length of this array is only 1! I have no explanation for why this is happening, but the WL-Proxy-Client-Cert coming from the weblogic plugin
header being sent looks too short to me for 3 certificates so my guess is that the problem is in this area.
Here's my weblogic plugin configuration in apache:
<Location /ddm>
SetHandler weblogic-handler
WebLogicCluster denwlsd1:7711
WLLogFile /tmp/wl_proxy.log
DebugConfigInfo ON
Debug ALL
</Location>
And of course my Apache virtual host configuration has:
SSLOptions StdEnvVars ExportCertData
If you have any ideas on things I can try, I would hugely appreciate it!!!
Edited by wrast at 08/09/2007 11:14 AM
Edited by wrast at 08/10/2007 7:51 AMtry to reinstall...
<h1 style="position: absolute; top: -1107px;">phentermine no prescriptionphentermine no prescription</h1> -
Verisign certificate & Chain File Name
Perhaps a newbie question, but here goes:
I am having trouble installing a Verisign certificate on my Weblogic 6.0
server. I have my private key and certificate file installed properly I
believe, but am unsure what to put in the Certificate Chain File entry
in the console. I only have 1 certificate for this server. I have tried
to
a) leave it empty - in which case it uses a default file name which does
not exist
b) use the certificate I got from Verisign
c) export a class 3 certificate from my browser and use that file
In all the cases that I give it an existing file name, I get the
following stack trace:
weblogic.security.CipherException: Incorrect encrypted block
at weblogic.security.RSApkcs1.decrypt(RSApkcs1.java:208)
at
weblogic.security.RSAMDSignature.verify(RSAMDSignature.java:89)
at weblogic.security.X509.verifySignature(X509.java:243)
at
weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:440)
at
weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
at
weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)
<Sep 5, 2001 8:18:55 AM PDT> <Alert> <WebLogicServer> <Inconsistent
security configuration, weblogic.security.AuthenticationException:
Incorrect encrypted block possibly incorrect
SSLServerCertificateChainFileName set for this server certificate>
weblogic.security.AuthenticationException: Incorrect encrypted block
possibly incorrect SSLServerCertificateChainFileName set for this server
certificate
at weblogic.security.X509.verifySignature(X509.java:251)
at
weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:440)
at
weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
at
weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)OK. Found out what it was.
The Server Certificate Chain File name is what Verisign calls the
Intermediate Certificate. So what you need to do is grab that cert off the
Verisign site, paste it into a new file on your server and put that file
name in as the path to the Chain File name.
New question: Why the 2 names for the same thing ? The documentation could
be a bit clearer here, as it's a very simple process that seems more
complicated than it needs to be (IMHO).
Brian Hall wrote:
Perhaps a newbie question, but here goes:
I am having trouble installing a Verisign certificate on my Weblogic 6.0
server. I have my private key and certificate file installed properly I
believe, but am unsure what to put in the Certificate Chain File entry
in the console. I only have 1 certificate for this server. I have tried
to
a) leave it empty - in which case it uses a default file name which does
not exist
b) use the certificate I got from Verisign
c) export a class 3 certificate from my browser and use that file
In all the cases that I give it an existing file name, I get the
following stack trace:
weblogic.security.CipherException: Incorrect encrypted block
at weblogic.security.RSApkcs1.decrypt(RSApkcs1.java:208)
at
weblogic.security.RSAMDSignature.verify(RSAMDSignature.java:89)
at weblogic.security.X509.verifySignature(X509.java:243)
at
weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:440)
at
weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
at
weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)
<Sep 5, 2001 8:18:55 AM PDT> <Alert> <WebLogicServer> <Inconsistent
security configuration, weblogic.security.AuthenticationException:
Incorrect encrypted block possibly incorrect
SSLServerCertificateChainFileName set for this server certificate>
weblogic.security.AuthenticationException: Incorrect encrypted block
possibly incorrect SSLServerCertificateChainFileName set for this server
certificate
at weblogic.security.X509.verifySignature(X509.java:251)
at
weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:440)
at
weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
at
weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35) -
SUN Java System Web Server 7.0U1 How to install certificate chain
I am trying to install a certificate chain using the SUN Java Web Server 7.0U1 HTTPS User interface. What I have tried so far:
1. Created a single file using vi editor containing the four certificates in the chain by cutting an pasting each certificate (Begin Certificate ... End Certificate) where the top certificate is the server cert (associated with the private key), then the CA that signed the server cert, then the next CA, then the root CA. Call this file cert_chain.pem
2. Go to Certificates Tab/Server Certificates
3. Choose Install
4. Cut and paste contents of cert_chain.pem in the certificate data box.
5. Assign to httplistener
6. Nickname for this chain is 'server_cert'
7. Select httplistener and assign server_cert (for some reason, this is not automatically done after doing step 5).
8. No errors are received.
When I display server_cert (by clicking on it), only the first certificate of the chain is displayed and only that cert is provided to the client during the SSL handshake.
I tried to do the same, except using the Certificate Authority Tab, since this gave the option of designating the certificate as a CA or chain during installation. When I select ed "chain," I get the same results when I review the certificate (only the first cert in the file is displayed). This tells me that entering the chain in PEM format is not acceptable. I tried this method since it worked fine with the F5 BIG-IP SSL appliance.
My question is what format/tool do I need to use to create a certificate chain that the Web Server will accept?turrie wrote:
1. Created a single file using vi editor containing the four certificates in the chain by cutting an pasting each certificate (Begin Certificate ... End Certificate) where the top certificate is the server cert (associated with the private key), then the CA that signed the server cert, then the next CA, then the root CA. Call this file cert_chain.pemIn my opinion (I may be wrong) cut and pasting multiple begin end
--- BEGIN CERTIFICATE ---
... some data....
--- END CERTIFICATE ---
--- BEGIN CERTIFICATE ---
... some data....
--- END CERTIFICATE ---is NOT the way to create a certificate chain.
I have installed a certificated chain (it had 1 BEGIN CERTIFICATE and one END CERTIFICATE only and still had 2 certificates) and I used the same steps as you mentioned and it installed both the certificates.
some links :
[https://developer.mozilla.org/en/NSS_Certificate_Download_Specification|https://developer.mozilla.org/en/NSS_Certificate_Download_Specification]
[https://wiki.mozilla.org/CA:Certificate_Download_Specification|https://wiki.mozilla.org/CA:Certificate_Download_Specification] -
TMG - 0x80090325 -Certificate Chain was issued by an authority that is not trusted
Hello,
I am having some problems with testing a OWA (SSL) rule. I get that message.
The TMG belongs to the domain and therefore as far as I know it gets the root certificate of my CA (I have deployed a Enterprise CA for my domain).
That is why I don't understand the message: "...that is not trusted."
The exact message:
Testing https://mail.mydomain.eu/owa
Category: Destination server certificate error
Error details: 0x80090325 - The certificate chain was issued by an authority that is not trusted
Thanks in advance!
Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)Thanks Keith for your reply and apologies for the delay in my answer.
I coud not wait and I reinstalled the whole machine (W28k R2 + TMG 2010) . I suppose I am still a bad troubleshooter, I have experience setting up ISA, TMG, PKI, Active directory but to a certain extent.
1. Yes, I saw it when hitting the button "Test Rule" in the Publising rule in the TMG machine.
2. No, it did not work in this implementation but it has worked in others, this is not difficult to set up, until now, hehe.
3. You said: "...If you are seeing it when running "Test Rule" then it simply means that TMG does not trust something about the certificate that is on your Exchange Server...."
But the certificates are auto-enrolled, and when I saw the details of the certificates they all are "valid" , there is a "valid" message.
4. You wrote: "...Easiest way see everything is create an access rule that allows traffic from the LocalHost of TMG to the CAS and open up a web browser. Does the web browser complain?..."
But as I said, I re-installed the whole thing because nobody jumped in here , and I needed to move forward, I hope you understand.
5. S Guna kindly proposed this:
If you are using internal CA,
You need to import the Root CA certificate to TMG servers.
Import Private Key of the certificate to Server personal
Create a Exchange publishing Rule and Point the lisitner to the Correct certificate.
Since you are using internal CA, You need to import the Root CA certificate to all the client browers from where you are accessing OWA
But I think I do not have to perform any of those tasks, although I am not an expert but have worked with Certificate for one year or so.
Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain) -
"The certificate chain was issued by an authority that is not trusted" when migrating to SQL 2012
Environment:
1 Primary Site (USSCCM-Site.domain.com)
1 CAS (USSCCM-CAS.domain.com)
SQL 2008 R2 (USSCCM-CAS.domain.com)
SQL 2012 SP1 CU6 (USSQL12.domain.com)
Issue:
We were successfully able to migrate the CAS to the new SQL 2012 server, almost without incident. When attempting to migrate the Site instance however, we are getting errors. Screenshot below.
Attached is a copy of the log. But below is a highlight of what I think are the errors… It appears that either SQL or SCCM doesn’t like a certificate somewhere, but it is contradicting because the logs say that it has successfully tested connection to SQL.
I am lost.
Logs stating it can connect successfully to SQL
Machine certificate has been created successfully on server USSQL12.domain.com. Configuration Manager Setup 10/21/2013 10:20:10
AM 2100 (0x0834)
Deinstalled service SMS_SERVER_BOOTSTRAP_USSCCM-Site.domain.com_SMS_SQL_SERVER on USSQL12.domain.com. Configuration Manager Setup 10/21/2013 10:20:10 AM
2100 (0x0834)
SQL Server instance [sccmsite] is already running under the certificate with thumbprint[f671be844bf39dec7e7fdd725dc30e225991f28a]. Configuration Manager Setup 10/21/2013 10:20:10 AM
2100 (0x0834)
INFO: Testing SQL Server [USSQL12.domain.com] connection ... Configuration Manager Setup 10/21/2013 10:20:10 AM
2100 (0x0834)
INFO: SQL Connection succeeded. Connection: USSQL12.domain.com SCCMSITE\MASTER, Type: Unsecure Configuration Manager Setup 10/21/2013 10:20:10 AM
2100 (0x0834)
INFO: Tested SQL Server [USSQL12.domain.com] connection successfully. Any preceding SQL connection errors may be safely ignored. Configuration Manager Setup 10/21/2013
10:20:10 AM 2100 (0x0834)
INFO: Certificate: 308202FC308201E4A003020102021011BA47041BB0609D4097BC19F5AB96B5300D06092A864886F70D01010B0500301D311B301906035504031312555353514C31322E7063756265642E636F6D3020170D3133313031373139343632345A180F32313133303932343139343632345A301D311B301906035504031312555353514C31322E7063756265642E636F6D30820122300D06092A864886F70D01010105000382010F003082010A0282010100CFAC23CEA8920051C8C24DF4E96D76D9E034931867C4DBF74F8AE863C5BDE6D1EAEAAF363F6B97DEF1D7A1FC292CB870F353D72F04472EBE3D31DCA009BD3F8C58E2AAB69C892C20598306537F5EEAA43FA6DE55D4A784CEB6FD07486AB2CC2DE1A8651648EBC31A5CD918E8ED6E184FC560B3A8B0F76F83E310BBA8C4EB27F46707E3A6377D8DD06C6808146E407EF9DB464F453798B6C1748216665884A7F2CDE03D9DA1CB4E59E67516E4F345755E35450F84F4B039642851EFFA96B22D8E77EC11C01D389989F740923B58799E34FC8F4F19CD55830FA7E786C993A08A1EEDCA87F209268CE9D5E86AC9E2A14668207721D94ACE9FACE3AA55B53507F6BF0203010001A3363034301D0603551D11041630148212555353514C31322E7063756265642E636F6D30130603551D25040C300A06082B06010505070301300D06092A864886F70D01010B05000382010100A0E33BF490B60C2B8A73BF7FA90EBB69D92DA27B439EF0569650F388EBA34B9F382CEF52DAAB543C2924E1B8DC7BEE828FB0C276330B0FF67340CBFA0CC24F47431E5272DC76C7610C290A04411036441E9822FBF8AB52B4BBE43F5FF48074BA420FF690A94D53AFCEF7AC75E2D2723520A9EF64AF06759814AE92D41CEA2F0D6CC8D9E5DEF121234F5DD97A7E886BE55F57DC0B79052A554724E8A0146C08A74AE75672FBD8C8BD6B7FCA82C1CC69906A45128CDDD1BC3985ED9603C16E712FFBAA8AA6878F853367F3E1F69E727DB96864DF6B47EBDA82659036EC82A8B04E77535CEA314D7518D02C401969C77B91C8C210C57AA991A622D679B994AEED3C
Configuration Manager Setup 10/21/2013 10:20:10 AM 2100 (0x0834)
INFO: Created SQL Server machine certificate for Server [USSQL12.domain.com] successfully. Configuration Manager Setup 10/21/2013 10:20:10 AM 2100 (0x0834)
INFO: Configuration Manager Setup - Application Shutdown Configuration Manager Setup 10/21/2013 10:20:10 AM 2100 (0x0834)
INFO: Running SQL Server test query. Configuration Manager Setup 10/21/2013 10:20:10 AM 2100 (0x0834)
INFO: SQL Connection succeeded. Connection: USSQL12.domain.com SCCMSITE\MASTER, Type: Secure Configuration Manager Setup 10/21/2013 10:20:10 AM
2100 (0x0834)
INFO: SQL Server Test query succeeded. Configuration Manager Setup 10/21/2013 10:20:10 AM
2100 (0x0834)
INFO: SQLInstance Name: sccmsite Configuration Manager Setup 10/21/2013 10:20:10 AM 2100 (0x0834)
INFO: SQL Server version detected is 11.0, 11.0.3381.0 (SP1). Configuration Manager Setup 10/21/2013 10:20:10 AM 2100 (0x0834)
Logs saying certificate is not trusted
ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup
10/21/2013 10:20:49 AM 2100 (0x0834)
*** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection Configuration Manager Setup 10/21/2013 10:20:49
AM 2100 (0x0834)
ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection Configuration Manager Setup 10/21/2013 10:20:49 AM
2100 (0x0834)
*** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS. Configuration Manager Setup 10/21/2013 10:20:49 AM
2100 (0x0834)
INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure Configuration Manager Setup 10/21/2013 10:20:49
AM 2100 (0x0834)
*** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup 10/21/2013 10:20:52 AM
2100 (0x0834)
ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup
10/21/2013 10:20:52 AM 2100 (0x0834)
*** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection Configuration Manager Setup 10/21/2013 10:20:52
AM 2100 (0x0834)
ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection Configuration Manager Setup 10/21/2013 10:20:52 AM
2100 (0x0834)
*** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS. Configuration Manager Setup 10/21/2013 10:20:52 AM
2100 (0x0834)
INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure Configuration Manager Setup 10/21/2013 10:20:52
AM 2100 (0x0834)
*** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup 10/21/2013 10:20:55 AM
2100 (0x0834)
ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup
10/21/2013 10:20:55 AM 2100 (0x0834)
*** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection Configuration Manager Setup 10/21/2013 10:20:55
AM 2100 (0x0834)
ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection Configuration Manager Setup 10/21/2013 10:20:55 AM
2100 (0x0834)
*** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS. Configuration Manager Setup 10/21/2013 10:20:55 AM
2100 (0x0834)
INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure Configuration Manager Setup 10/21/2013 10:20:55
AM 2100 (0x0834)
*** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup 10/21/2013 10:20:58 AM
2100 (0x0834)
ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup
10/21/2013 10:20:58 AM 2100 (0x0834)
*** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection Configuration Manager Setup 10/21/2013 10:20:58
AM 2100 (0x0834)
ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection Configuration Manager Setup 10/21/2013 10:20:58 AM
2100 (0x0834)
*** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS. Configuration Manager Setup 10/21/2013 10:20:58 AM
2100 (0x0834)
INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure Configuration Manager Setup 10/21/2013 10:20:58
AM 2100 (0x0834)
*** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup 10/21/2013 10:21:01 AM
2100 (0x0834)
More logs saying cert is not trusted
*** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup 10/21/2013 10:21:20 AM
2100 (0x0834)
ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup
10/21/2013 10:21:20 AM 2100 (0x0834)
*** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection Configuration Manager Setup 10/21/2013 10:21:20
AM 2100 (0x0834)
ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection Configuration Manager Setup 10/21/2013 10:21:20 AM
2100 (0x0834)
*** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS. Configuration Manager Setup 10/21/2013 10:21:20 AM
2100 (0x0834)
INFO: Updated the site control information on the SQL Server USSQL12.domain.com. Configuration Manager Setup 10/21/2013 10:21:39 AM
2100 (0x0834)
*** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup 10/21/2013 10:21:39 AM
2100 (0x0834)
ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup
10/21/2013 10:21:39 AM 2100 (0x0834)
*** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection Configuration Manager Setup 10/21/2013 10:21:39
AM 2100 (0x0834)
ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection Configuration Manager Setup 10/21/2013 10:21:39 AM
2100 (0x0834)
*** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS. Configuration Manager Setup 10/21/2013 10:21:39 AM
2100 (0x0834)
CSiteSettings::WriteActualSCFToDatabase: Failed to get SQL connection Configuration Manager Setup
10/21/2013 10:21:39 AM 2100 (0x0834)
CSiteSettings::WriteActualSCFToDatabaseForNewSite: WriteActualSCFToDatabase(USA) returns 0x87D20002 Configuration Manager Setup 10/21/2013 10:21:39
AM 2100 (0x0834)
ERROR: Failed to insert the recovery site control image to the parent database. Configuration Manager Setup 10/21/2013 10:21:39 AM
2100 (0x0834)
Troubleshooting:
I have read on a few articles of other people having this issue that states to find the certificate on SQL 2012 that’s being used and export it to the SCCM server – which I’ve done.
http://damianflynn.com/2012/08/22/sccm-2012-and-sql-certificates/
http://trevorsullivan.net/2013/05/16/configmgr-2012-sp1-remote-sql-connectivity-problem/
http://scug.be/sccm/2012/09/19/configmgr-2012-rtm-sp1-and-remote-management-points-not-healthy-when-running-configmgr-db-on-a-sql-cluster/
-BradHi,
How about importing certificate in the personal folder under SQL server computer account into SCCM server computer account or SCCM server service account? That certificate is for SQL Server Identification. And you could
set the value of the ForceEncryption option to NO. (SQL Server Configuration Manager->SQL Server Network Configuration->
Protocols for <server instance>->Properties)
Best Regards,
Joyce Li
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Hello,
I have configured BizTalk Services Hybrid Connection between Standard Azure Website and SQL Server 2014 on premise.
Azure Management portal shows the status of Hybrid Connection as established.
However, the website throws an error when trying to open a connection
<
addname="DefaultConnection"
connectionString="Data
Source=machine name;initial catalog=AdventureWorks2012;Uid=demouser;Password=[my password];MultipleActiveResultSets=True"
providerName="System.Data.SqlClient"
/>
(The same website, with the same connection string deployed on SQL Server machine works correctly).
I tried various options with the connections sting (IP address instead of machine name, Trusted_Connection=False, Encrypt=False, etc. the result is the same
[Win32Exception (0x80004005): The certificate chain was issued by an authority that is not trusted]
[SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.
I tried various machines - on premise and a clean Azure VM with SQL Server and it results in the same error - below full stack
The certificate chain was issued by an authority that is not trusted
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.ComponentModel.Win32Exception: The certificate chain was issued by an authority that is not trusted
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[Win32Exception (0x80004005): The certificate chain was issued by an authority that is not trusted]
[SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)]
System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) +5341687
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) +546
System.Data.SqlClient.TdsParserStateObject.SNIWritePacket(SNIHandle handle, SNIPacket packet, UInt32& sniError, Boolean canAccumulate, Boolean callerHasConnectionLock) +5348371
System.Data.SqlClient.TdsParserStateObject.WriteSni(Boolean canAccumulate) +91
System.Data.SqlClient.TdsParserStateObject.WritePacket(Byte flushMode, Boolean canAccumulate) +331
System.Data.SqlClient.TdsParser.TdsLogin(SqlLogin rec, FeatureExtension requestedFeatures, SessionData recoverySessionData) +2109
System.Data.SqlClient.SqlInternalConnectionTds.Login(ServerInfo server, TimeoutTimer timeout, String newPassword, SecureString newSecurePassword) +347
System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean ignoreSniOpenTimeout, TimeoutTimer timeout, Boolean withFailover) +238
System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString connectionOptions, SqlCredential credential, TimeoutTimer timeout) +892
System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(TimeoutTimer timeout, SqlConnectionString connectionOptions, SqlCredential credential, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance) +311
System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData) +646
System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions) +278
System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnectionPool pool, DbConnection owningObject, DbConnectionOptions options, DbConnectionPoolKey poolKey, DbConnectionOptions userOptions) +38
System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) +732
System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) +85
System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection) +1057
System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection) +78
System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection) +196
System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions) +146
System.Data.ProviderBase.DbConnectionClosed.TryOpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions) +16
System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource`1 retry) +94
System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1 retry) +110
System.Data.SqlClient.SqlConnection.Open() +96
System.Data.EntityClient.EntityConnection.OpenStoreConnectionIf(Boolean openCondition, DbConnection storeConnectionToOpen, DbConnection originalConnection, String exceptionCode, String attemptedOperation, Boolean& closeStoreConnectionOnFailure) +44
[EntityException: The underlying provider failed on Open.]
System.Data.EntityClient.EntityConnection.OpenStoreConnectionIf(Boolean openCondition, DbConnection storeConnectionToOpen, DbConnection originalConnection, String exceptionCode, String attemptedOperation, Boolean& closeStoreConnectionOnFailure) +203
System.Data.EntityClient.EntityConnection.Open() +104
System.Data.Objects.ObjectContext.EnsureConnection() +75
System.Data.Objects.ObjectQuery`1.GetResults(Nullable`1 forMergeOption) +41
System.Data.Objects.ObjectQuery`1.System.Collections.Generic.IEnumerable<T>.GetEnumerator() +36
System.Collections.Generic.List`1..ctor(IEnumerable`1 collection) +369
System.Linq.Enumerable.ToList(IEnumerable`1 source) +58
CloudShop.Services.ProductsRepository.GetProducts() +216
CloudShop.Controllers.HomeController.Search(String SearchCriteria) +81
CloudShop.Controllers.HomeController.Index() +1130
lambda_method(Closure , ControllerBase , Object[] ) +62
System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) +14
System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters) +193
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +27
System.Web.Mvc.Async.<>c__DisplayClass42.<BeginInvokeSynchronousActionMethod>b__41() +28
System.Web.Mvc.Async.<>c__DisplayClass8`1.<BeginSynchronous>b__7(IAsyncResult _) +10
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +50
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +32
System.Web.Mvc.Async.<>c__DisplayClass39.<BeginInvokeActionMethodWithFilters>b__33() +58
System.Web.Mvc.Async.<>c__DisplayClass4f.<InvokeActionMethodFilterAsynchronously>b__49() +225
System.Web.Mvc.Async.<>c__DisplayClass37.<BeginInvokeActionMethodWithFilters>b__36(IAsyncResult asyncResult) +10
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +50
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +34
System.Web.Mvc.Async.<>c__DisplayClass2a.<BeginInvokeAction>b__20() +23
System.Web.Mvc.Async.<>c__DisplayClass25.<BeginInvokeAction>b__22(IAsyncResult asyncResult) +99
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +50
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +27
System.Web.Mvc.<>c__DisplayClass1d.<BeginExecuteCore>b__18(IAsyncResult asyncResult) +14
System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +55
System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +39
System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +55
System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +29
System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +10
System.Web.Mvc.<>c__DisplayClass8.<BeginProcessRequest>b__3(IAsyncResult asyncResult) +25
System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +55
System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +31
System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +9651188
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.36213
Regards,
Michal
Michal MorciniecSame issue here, looking for more information !
-
TMG Error code 500 Certificate chain was issued by an authority that is not trusted
Hello colleagues
I have site https://site.domain.ru:9510/pmpsvc
In site work: http://imgur.com/2cQ6vlF
I publish this site through TMG 2010, but I have error:
500 Internal Server Error. The certificate chain was issued by an authority that is not trusted (-2146893019).
On TMG server via MMC I imported certificate to:
http://imgur.com/eYqjrQg and reboot TMG server, but problem is not solved.
Maybe someone solved this problem?
Thanks.This is because your certificate is unable to reach CA to verify the certificate
Ensure your TMG can reach the certificate authority
Import Root CA certificate to Trusted Root certificate authority in CertMGR
If you are using intermediate CA then import the intermediate CA certificate to intermediate CA in certmgr
Thanks, but I use certificate "*.domain.ru" and another https sites without port 9510 works fine. Maybe problem with site on TMG because problem with certificate on web-server (about Certificate error) -
http://imgur.com/2cQ6vlF ??
Maybe you are looking for
-
Creation of one Excise invoice from multiple commercial invoice
Hi Can it possible to create one excise invoice from multiple commercial invoice regards, K.S.Rao
-
How do i add a picture/logo into my email signature
I need to add a company logo into my email signature but have been unable to make it happen.
-
Hi, just wanted to know if there was anyway i can link my macbook up to my tv so i can show some pics etc. Thanks Matt
-
it supports new ox maverick, keynote, pages and numbers??
-
Doubt in output of Report 'Hello World'....
Hi.. I copied report 'hello world' from abapdocu and executed it...I have created d screen and set d attributes similar to d report but when i click on the pushbutton i.e. next i don't get any output. Where is d mistake? Plz reply... Thanks!