Untrusted Certificate Chain

Keep receiving Msg "you are attempting to open a secure connection, but the server's cert is not trusted".  If I try to trust certificate it requires that I enter my key store password. I have no idea what that is.  If I View the Certificate it says the program is "rcp.na.blackberry.com" with an untrusted cert chain - stale chain status - x 509.  It stops popping up when I disconnect from my wifi, otherwise it keeps popping up at different times.

hello,
have you heard of "secured transaction" or "electronic signature" or "e-signing" or "SSL" ?
to make things short : when you browse the web, anyone can "do something" and be able to sniff what you send and what you receive.
When you log on the present forum, you do it with HTTP.
If your neighbor knows how, he/she can get the password you use to connect.
that is why people have created SSL. when you go to a secured website, like your bank website, or paypal, or amazon, you go to a page which URL starts with HTTPS:// instead of HTTP://
if your browser is up-to-date, something should change in the address bar : a color, a sign, a lock that is closed (even on your blackberry Browser).
HTTPS stands for HTTP over SSL. basically, SSL is a security tunnel.
when you use that SSL, nobody can get the information that you exchange with the webserver.
but the SSL protocol is something open : anyone can create an SSL key and say "hey, come and see me, my tunnel is secure". So you have to know who that person is. It is also done by something like SSL. It's called electronic certificates. Codename : X.509.
so a X.509 is a certificate that says "I am AAA and I can do BBB !".
how can you trust that certificate ? Because it is certified by a higher authority (a private one, not necessarily government). You know these authorities. They appear on the bottom of your bank websites :
Verisign
Thawte
Certicom (cough cough cough)
CertPlus
RSA (the SecurID !)
VISA (the credit card !)
and so on...
these are very valuable Certificate Authorities (CA) that you can trust. But how can you, since you may have never heard of them ?
well, RIM does that for you, just like any browser system does.
When you look at your Windows system, you will see all those CA in the list, as well as others like AOL or Dell or Microsoft.
On your BlackBerry system, it's the same : RIM has put trust in those CAs.
Those CAs are stored somewhere on your device, in a place called the KeyStore.
The problem comes when you log on to a website, that uses HTTPS, and whose X.509 certificate is certified by a CA that is not present on your device.
therefore, the certificate is valid, but not trusted by your browser.
you are saying the CA is rcp.na.blackberry.com : that is quite strange actually. What website are you trying to log on ?
The search box on top-right of this page is your true friend, and the public Knowledge Base too:

Similar Messages

  • Untrusted Server Certificate Chain error

    I am trying to use a certificate (digital signature) on the client, when accessing a Webservice. This fails with the following error :
    javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted Server Certificate Chain
    My code is :
    KeyStore ks = null;
    String strURL = "https://myserver.com/myurl/lookup.asmx";
    SSLSocketFactory sslSocketFactory = null;
    System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
    Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
    // Load certificate dynamically
    SSLContext sslContext = SSLContext.getInstance("SSLv3");
    TrustManagerFactory trustMgtFactory = TrustManagerFactory.getInstance("SunX509");
    CertificateFactory cert = CertificateFactory.getInstance("X.509");
    FileInputStream lo_fileinputstream = null;
    lo_fileinputstream = new FileInputStream("c:\\temp\\digital.cer");
    X509Certificate servercacert = (X509Certificate)cert.generateCertificate(lo_fileinputstream);
    lo_fileinputstream.close();
    String s1 = servercacert.getSerialNumber().toString();
    if(ks == null)
    ks = KeyStore.getInstance("JKS");
    ks.load(null, null);
    ks.setCertificateEntry(s1, servercacert);
    trustMgtFactory.init(ks);
    sslContext.init(null, trustMgtFactory.getTrustManagers(), null);
    sslSocketFactory = sslContext.getSocketFactory();
    HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
    // Call webservice
    URL cascadeURL = new URL(strURL);
    HttpsURLConnection conn = (HttpsURLConnection) cascadeURL.openConnection();
    String inputline=null;
    if (conn instanceof HttpsURLConnection) {
    conn.connect();
    BufferedReader in = new BufferedReader(
    new InputStreamReader(
    conn.getInputStream()));
    while ((inputline = in.readLine()) != null) {
    System.out.println(inputline);
    in.close();
    Please help - I am on a very tight deadline (as usual).

    Found the problem. I simply needed to add another certificate.

  • JDK1.2.2 and untrusted server chain and HELP

    Hi,
    I'm using JDK1.2.2 and I've downloaded and installed JSSE1.02. I have also installed the server cert in my own truststore.
    The server to whom I want to connect sends two certificates.
    One is valid and this is the one I need and I have and one that is timed out and of no importance for me...at least I guess it is.
    But my JSSE-application throws an this exception. For more detailled information I've attached the log:
    keyStore is :
    keyStore type is : jks
    init keystore
    init keymanager of type SunX509
    trustStore is: C:/NetDynamics50/java/jre/lib/security/lauerstore
    trustStore type is : jks
    init truststore
    adding as trusted cert: [
    Version: V3
    Subject: CN=inte.myaxa.de, OU=Executive Management, O=@AXA GmbH, L=Koeln, ST=NRW, C=DE
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@31cdcb27
    Validity: [From: Fri Jun 15 16:25:05 GMT+02:00 2001,
                   To: Sun Jun 15 16:25:05 GMT+02:00 2003]
    Issuer: [email protected], CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    SerialNumber: [    080e20]
    Certificate Extensions: 2
    [1]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:false
    PathLen: undefined
    [2]: ObjectId: 2.5.29.37 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 17 30 15 06 08 2B 06 01 05 05 07 03 01 06 09 ..0...+.........
    0010: 60 86 48 01 86 F8 42 04 01 `.H...B..
    Algorithm: [MD5withRSA]
    Signature:
    0000: 32 D8 11 96 F5 66 CE 7A 2C DD 39 03 BB 54 41 66 2....f.z,.9..TAf
    0010: EE B7 6E 7A 95 57 73 C5 66 83 67 9C 35 B7 75 05 ..nz.Ws.f.g.5.u.
    0020: A1 6D 9D 36 A7 7A AA 12 CD AE 64 5B E5 F9 EE EF .m.6.z....d[....
    0030: 7C BB 63 7E 5A E6 9F BA 50 8F 92 A2 C6 FA B5 8B ..c.Z...P.......
    0040: 25 8B 95 37 AA C4 6D 7A C1 E6 DA 35 18 82 24 1A %..7..mz...5..$.
    0050: 9A 0D E3 A2 F1 3B 4D 35 C6 00 B7 E8 6B 14 0B 82 .....;M5....k...
    0060: BC E1 29 6E 24 10 27 B2 86 52 CD 85 C5 A9 CE 69 ..)n$.'..R.....i
    0070: D1 69 79 67 07 9E 8B A2 23 DA 97 36 F5 D8 57 57 .iyg....#..6..WW
    init context
    trigger seeding of SecureRandom
    done seeding SecureRandom
    %% No cached client session
    *** ClientHello, v3.1
    RandomCookie: GMT: 983585972 bytes = { 41, 169, 119, 141, 169, 223, 159, 184, 182, 97, 133, 56, 227, 20, 209, 115, 225, 62, 106, 169, 106, 250, 37, 25, 45, 7, 25, 215 }
    Session ID: {}
    Cipher Suites: { 0, 5, 0, 4, 0, 9, 0, 10, 0, 18, 0, 19, 0, 3, 0, 17 }
    Compression Methods: { 0 }
    [write] MD5 and SHA1 hashes: len = 59
    0000: 01 00 00 37 03 01 3B A0 55 B4 29 A9 77 8D A9 DF ...7..;.U.).w...
    0010: 9F B8 B6 61 85 38 E3 14 D1 73 E1 3E 6A A9 6A FA ...a.8...s.>j.j.
    0020: 25 19 2D 07 19 D7 00 00 10 00 05 00 04 00 09 00 %.-.............
    0030: 0A 00 12 00 13 00 03 00 11 01 00 ...........
    Thread-6, WRITE: SSL v3.1 Handshake, length = 59
    [write] MD5 and SHA1 hashes: len = 77
    0000: 01 03 01 00 24 00 00 00 20 00 00 05 00 00 04 01 ....$... .......
    0010: 00 80 00 00 09 06 00 40 00 00 0A 07 00 C0 00 00 .......@........
    0020: 12 00 00 13 00 00 03 02 00 80 00 00 11 3B A0 55 .............;.U
    0030: B4 29 A9 77 8D A9 DF 9F B8 B6 61 85 38 E3 14 D1 .).w......a.8...
    0040: 73 E1 3E 6A A9 6A FA 25 19 2D 07 19 D7 s.>j.j.%.-...
    Thread-6, WRITE: SSL v2, contentType = 22, translated length = 16310
    Thread-6, READ: SSL v3.0 Handshake, length = 1599
    *** ServerHello, v3.0
    RandomCookie: GMT: 722821779 bytes = { 190, 56, 167, 5, 198, 89, 180, 112, 96, 251, 78, 78, 144, 103, 57, 130, 219, 11, 56, 169, 199, 73, 79, 241, 241, 131, 74, 145 }
    Session ID: {0, 154, 4, 1, 195, 195, 38, 26, 66, 92, 154, 191, 59, 96, 218, 24, 81, 133, 102, 48, 169, 26, 50, 42, 10, 49, 78, 150, 71, 182, 163, 33}
    Cipher Suite: { 0, 4 }
    Compression Method: 0
    %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
    ** SSL_RSA_WITH_RC4_128_MD5
    [read] MD5 and SHA1 hashes: len = 74
    0000: 02 00 00 46 03 00 2B 15 63 93 BE 38 A7 05 C6 59 ...F..+.c..8...Y
    0010: B4 70 60 FB 4E 4E 90 67 39 82 DB 0B 38 A9 C7 49 .p`.NN.g9...8..I
    0020: 4F F1 F1 83 4A 91 20 00 9A 04 01 C3 C3 26 1A 42 O...J. ......&.B
    0030: 5C 9A BF 3B 60 DA 18 51 85 66 30 A9 1A 32 2A 0A \..;`..Q.f0..2*.
    0040: 31 4E 96 47 B6 A3 21 00 04 00 1N.G..!...
    *** Certificate chain
    chain [0] = [
    Version: V3
    Subject: CN=inte.myaxa.de, OU=Executive Management, O=@AXA GmbH, L=Koeln, ST=NRW, C=DE
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@5f45cb24
    Validity: [From: Fri Jun 15 16:25:05 GMT+02:00 2001,
                   To: Sun Jun 15 16:25:05 GMT+02:00 2003]
    Issuer: [email protected], CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    SerialNumber: [    080e20]
    Certificate Extensions: 2
    [1]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:false
    PathLen: undefined
    [2]: ObjectId: 2.5.29.37 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 17 30 15 06 08 2B 06 01 05 05 07 03 01 06 09 ..0...+.........
    0010: 60 86 48 01 86 F8 42 04 01 `.H...B..
    Algorithm: [MD5withRSA]
    Signature:
    0000: 32 D8 11 96 F5 66 CE 7A 2C DD 39 03 BB 54 41 66 2....f.z,.9..TAf
    0010: EE B7 6E 7A 95 57 73 C5 66 83 67 9C 35 B7 75 05 ..nz.Ws.f.g.5.u.
    0020: A1 6D 9D 36 A7 7A AA 12 CD AE 64 5B E5 F9 EE EF .m.6.z....d[....
    0030: 7C BB 63 7E 5A E6 9F BA 50 8F 92 A2 C6 FA B5 8B ..c.Z...P.......
    0040: 25 8B 95 37 AA C4 6D 7A C1 E6 DA 35 18 82 24 1A %..7..mz...5..$.
    0050: 9A 0D E3 A2 F1 3B 4D 35 C6 00 B7 E8 6B 14 0B 82 .....;M5....k...
    0060: BC E1 29 6E 24 10 27 B2 86 52 CD 85 C5 A9 CE 69 ..)n$.'..R.....i
    0070: D1 69 79 67 07 9E 8B A2 23 DA 97 36 F5 D8 57 57 .iyg....#..6..WW
    chain [1] = [
    Version: V1
    Subject: [email protected], CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@96e1cb27
    Validity: [From: Sat Jul 27 20:07:57 GMT+02:00 1996,
                   To: Mon Jul 27 20:07:57 GMT+02:00 1998]
    Issuer: [email protected], CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    SerialNumber: [  0  ]
    Algorithm: [MD5withRSA]
    Signature:
    0000: 8B 2F 9F B8 9F 5F 74 54 22 BB D8 5E DA 48 E0 33 ./..._tT"..^.H.3
    0010: 9F 01 19 13 A2 0C 26 EA 8E CE C1 57 65 F7 7C 85 ......&....We...
    0020: 84 37 17 EE 1E 6D D1 76 75 D4 C5 00 33 38 8A 75 .7...m.vu...38.u
    0030: D7 B7 AE 64 EF CD 46 08 50 26 28 63 96 F4 DF 62 ...d..F.P&(c...b
    0040: 30 18 C4 EF 76 27 25 2B E4 93 37 A3 4F DA 6E 67 0...v'%+..7.O.ng
    0050: BC 50 0C A8 94 F9 80 2E 4E FA 3F E3 06 E6 51 43 .P......N.?...QC
    0060: 88 B4 00 C6 10 AF 91 78 95 3F 28 04 99 E1 81 A7 .......x.?(.....
    0070: F0 E8 F2 FC 68 36 36 BC C1 C6 48 F9 7D FB BB 9F ....h66...H.....
    out of date cert: [
    Version: V1
    Subject: [email protected], CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
    Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@96e1cb27
    Validity: [From: Sat Jul 27 20:07:57 GMT+02:00 1996,
                   To: Mon Jul 27 20:07:57 GMT+02:00 1998]
    Issuer: [email protected], CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
    SerialNumber: [  0  ]
    Algorithm: [MD5withRSA]
    Signature:
    0000: 8B 2F 9F B8 9F 5F 74 54 22 BB D8 5E DA 48 E0 33 ./..._tT"..^.H.3
    0010: 9F 01 19 13 A2 0C 26 EA 8E CE C1 57 65 F7 7C 85 ......&....We...
    0020: 84 37 17 EE 1E 6D D1 76 75 D4 C5 00 33 38 8A 75 .7...m.vu...38.u
    0030: D7 B7 AE 64 EF CD 46 08 50 26 28 63 96 F4 DF 62 ...d..F.P&(c...b
    0040: 30 18 C4 EF 76 27 25 2B E4 93 37 A3 4F DA 6E 67 0...v'%+..7.O.ng
    0050: BC 50 0C A8 94 F9 80 2E 4E FA 3F E3 06 E6 51 43 .P......N.?...QC
    0060: 88 B4 00 C6 10 AF 91 78 95 3F 28 04 99 E1 81 A7 .......x.?(.....
    0070: F0 E8 F2 FC 68 36 36 BC C1 C6 48 F9 7D FB BB 9F ....h66...H.....
    Thread-6, SEND SSL v3.0 ALERT: fatal, description = certificate_unknown
    Thread-6, WRITE: SSL v3.0 Alert, length = 2
    javax.net.ssl.SSLException: untrusted server cert chain
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
         at com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198])
         at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPro-V1.2-120198])
         at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Compiled Code)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Compiled Code)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Compiled Code)
         at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Compiled Code)
         at java.io.OutputStream.write(OutputStream.java:65)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120198])
         at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.doConnect([DashoPro-V1.2-120198])
         at com.sun.net.ssl.internal.www.protocol.https.NetworkClient.openServer([DashoPro-V1.2-120198])
         at com.sun.net.ssl.internal.www.protocol.https.HttpClient.l([DashoPro-V1.2-120198])
         at com.sun.net.ssl.internal.www.protocol.https.HttpClient.<init>([DashoPro-V1.2-120198])
         at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.<init>([DashoPro-V1.2-120198])
         at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
         at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
         at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPro-V1.2-120198])
         at de.myaxa.application.adapter.SessionController.hitSession(Compiled Code)
         at java.lang.reflect.Method.invoke(Native Method)
         at de.myaxa.application.adapter.Command.execute(Compiled Code)
         at de.myaxa.application.adapter.MyAxaInterfaceServlet.doPost(MyAxaInterfaceServlet.java:117)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:747)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:840)
         at netdyn.servlet.CNdServletRequestHandler.handleRequest(CNdServletRequestHandler.java:132)
         at netdyn.servlet.env.CNdRequestEnvironment.executeRequest(Compiled Code)
         at netdyn.servlet.env.CNdRequestEnvironment.executeRequest(CNdRequestEnvironment.java:427)
         at netdyn.servlet.env.CNdRequestEnvironment.executeRequest(CNdRequestEnvironment.java:376)
         at netdyn.servlet.CNdServletManager.handleRequest(CNdServletManager.java:347)
         at netdyn.services.cp.worker.CNdCPWorkerOperations.webEventMessage(CNdCPWorkerOperations.java:530)
         at netdyn.services.cp.worker.CNdCPWorkerImpl.webEventMessage(CNdCPWorkerImpl.java:82)
         at netdyn.services.cp.stubs._tie_INdCPWorker.webEventMessage(_tie_INdCPWorker.java:23)
         at netdyn.services.cp.stubs._INdCPWorkerImplBase._execute(_INdCPWorkerImplBase.java:73)
         at netdyn.services.cp.stubs._INdCPWorkerImplBase._execute(_INdCPWorkerImplBase.java:48)
         at com.visigenic.vbroker.orb.SkeletonDelegateImpl.execute(Compiled Code)
         at com.visigenic.vbroker.orb.GiopProtocolAdapter.doRequest(Compiled Code)
         at com.visigenic.vbroker.orb.GiopProtocolAdapter.dispatchMessage(Compiled Code)
         at com.visigenic.vbroker.orb.ThreadPoolDispatcher.run(Compiled Code)
         at com.visigenic.vbroker.orb.WorkerThread.run(Compiled Code)
    de.myaxa.application.adapter.SessionController@89c5cb25 : javax.net.ssl.SSLException: untrusted server cert chain :

    [ O66183],
    This exception occurs because of an invalid or expired certificate within a public key certificate chain that causes the JSSE to terminate abnormally.
    If you look at your log file, you can see an 'out of date cert' message. I have extracted that part of the log with this statement:
              <SNIPPED>
    out of date cert: [
    Version: V1
    Subject: EmailAddress=[email protected],
    , CN=Thawte Server CA, OU=Certification Services
    Division, O=Thawte Consulting cc, L=Cape Town,
    ST=Western Cape, C=ZA
    Signature Algorithm: MD5withRSA, OID =
    = 1.2.840.113549.1.1.4
    Key:
    com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@96e1cb27
    Validity: [From: Sat Jul 27 20:07:57 GMT+02:00
    0 1996,
    To: Mon Jul 27 20:07:57 GMT+02:00
    7:57 GMT+02:00 1998]
    Issuer: EmailAddress=[email protected],
    , CN=Thawte Server CA, OU=Certification Services
    Division, O=Thawte Consulting cc, L=Cape Town,
    ST=Western Cape, C=ZA
    SerialNumber: [  0  ]          <SNIPPED>
    HTH.
    Allen Lai
    Developer Technical Support
    SUN Microsystems
    http://www.sun.com/developers/support/

  • Java.security.cert.CertificateException: Untrusted Cert Chain

    Hi all,
    While sending transaction to our supplier I am facing below error, Actually Our trading partner has given .p7b cert, I converted it into base 64 and i m using in b2b server. I am doing the same with all the suppliers but I am facing issue with only this trading partner. I asked him to send a new trusted certificate but he said that he is having 100's of customers, all are using the same certficate.
    Error
    http.sender.timeout=0
    2010.05.20 at 10:52:20:711: Thread-19: B2B - (DEBUG) scheme null userName null realm null
    2010.05.20 at 10:52:22:159: Thread-19: B2B - (WARNING)
    Message Transmission Transport Exception
    Transport Error Code is OTA-HTTP-SEND-1006
    StackTrace oracle.tip.transport.TransportException: [IPT_HttpSendHttpResponseError] HTTP response error :java.security.cert.CertificateException: Untrusted Cert Chain.
         at oracle.tip.transport.TransportException.create(TransportException.java:91)
         at oracle.tip.transport.basic.HTTPSender.send(HTTPSender.java:627)
         at oracle.tip.transport.b2b.B2BTransport.send(B2BTransport.java:311)
         at oracle.tip.adapter.b2b.transport.TransportInterface.send(TransportInterface.java:1034)
         at oracle.tip.adapter.b2b.msgproc.Request.outgoingRequestPostColab(Request.java:1758)
         at oracle.tip.adapter.b2b.msgproc.Request.outgoingRequest(Request.java:976)
         at oracle.tip.adapter.b2b.engine.Engine.processOutgoingMessage(Engine.java:1167)
         at oracle.tip.adapter.b2b.transport.AppInterfaceListener.onMessage(AppInterfaceListener.java:141)
         at oracle.tip.transport.basic.FileSourceMonitor.processMessages(FileSourceMonitor.java:903)
         at oracle.tip.transport.basic.FileSourceMonitor.run(FileSourceMonitor.java:317)
    Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted Cert Chain
         at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
         at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
         at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
         at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
         at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA12275)
         at java.io.ByteArrayOutputStream.writeTo(ByteArrayOutputStream.java:112)
         at HTTPClient.HTTPConnection.sendRequest(HTTPConnection.java:3018)
         at HTTPClient.HTTPConnection.handleRequest(HTTPConnection.java:2843)
         at HTTPClient.HTTPConnection.setupRequest(HTTPConnection.java:2635)
         at HTTPClient.HTTPConnection.Post(HTTPConnection.java:1107)
         at oracle.tip.transport.basic.HTTPSender.send(HTTPSender.java:590)
         ... 8 more
    Caused by: java.security.cert.CertificateException: Untrusted Cert Chain
         at oracle.security.pki.ssl.C21.checkClientTrusted(C21)
         at oracle.security.pki.ssl.C21.checkServerTrusted(C21)
         at oracle.security.pki.ssl.C08.checkServerTrusted(C08)
         at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(DashoA12275)
         ... 21 more
    2010.05.20 at 10:52:22:164: Thread-19: B2B - (DEBUG) oracle.tip.adapter.b2b.transport.TransportInterface:send Error in sending message
    2010.05.20 at 10:52:22:168: Thread-19: B2B - (INFORMATION) oracle.tip.adapter.b2b.msgproc.Request:outgoingRequestPostColab Request Message Transmission failed
    2010.05.20 at 10:52:22:170: Thread-19: B2B - (DEBUG) DBContext beginTransaction: Enter
    2010.05.20 at 10:52:22:173: Thread-19: B2B - (DEBUG) DBContext beginTransaction: Transaction.begin()
    2010.05.20 at 10:52:22:176: Thread-19: B2B - (DEBUG) DBContext beginTransaction: Leave
    2010.05.20 at 10:52:22:179: Thread-19: B2B - (DEBUG) oracle.tip.adapter.b2b.msgproc.Request:outgoingRequestPostColab [IPT_HttpSendHttpResponseError] HTTP response error :java.security.cert.CertificateException: Untrusted Cert Chain.
    Untrusted Cert Chain
    2010.05.20 at 10:52:22:226: Thread-19: B2B - (DEBUG) oracle.tip.adapter.b2b.engine.Engine:notifyApp retry value <= 0, so sending exception to IP_IN_QUEUE
    2010.05.20 at 10:52:22:232: Thread-19: B2B - (DEBUG) Engine:notifyApp Enter
    2010.05.20 at 10:52:22:248: Thread-19: B2B - (DEBUG) notifyApp:notifyApp Enqueue the ip exception message:
    <Exception xmlns="http://integration.oracle.com/B2B/Exception" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <correlationId>543222</correlationId>
    <b2bMessageId>543222</b2bMessageId>
    <errorCode>AIP-50079</errorCode>
    <errorText>Transport error: [IPT_HttpSendHttpResponseError] HTTP response error :java.security.cert.CertificateException: Untrusted Cert Chain.
    Untrusted Cert Chain</errorText>
    <errorDescription>
    <![CDATA[Machine Info: (usmtnz-sinfwi02)Transport error: [IPT_HttpSendHttpResponseError] HTTP response error :java.security.cert.CertificateException: Untrusted Cert Chain.
    Untrusted Cert Chain ]]>
    </errorDescription>
    <errorSeverity>2</errorSeverity>
    </Exception>
    2010.05.20 at 10:52:22:298: Thread-19: B2B - (DEBUG) Engine:notifyApp Exit
    2010.05.20 at 10:52:22:301: Thread-19: B2B - (DEBUG) DBContext commit: Enter
    2010.05.20 at 10:52:22:307: Thread-19: B2B - (DEBUG) DBContext commit: Transaction.commit()
    2010.05.20 at 10:52:22:310: Thread-19: B2B - (DEBUG) DBContext commit: Leave
    2010.05.20 at 10:52:22:313: Thread-19: B2B - (DEBUG) oracle.tip.adapter.b2b.msgproc.Request:outgoingRequest Exit
    2010.05.20 at 10:52:22:317: Thread-19: B2B - (INFORMATION) oracle.tip.adapter.b2b.engine.Engine:processOutgoingMessage:
    ***** REQUEST MESSAGE *****
    Exchange Protocol: AS2 Version 1.1
    Transport Protocol: HTTPS
    Unique Message ID: <543222@EMRSNS>
    Trading Partner: ZZEASY_PROD
    Message Signed: RSA
    Payload encrypted: 3DES
    Attachment: None

    Hi CNU,
    1st they has given me in .p7b certificateIs it a self-signed certificate? If no then do you have the CA certs as well?
    Open the certificate by double clicking on it. If "Issued To" and "Issued By" fields are same then it is a self signed cert and you need to import only this cert (in base64 format) into wallet.
    If it is not a self-signed cert then open the certificate and click on "Certification Path" tab. You should be able to see the issue's certificate here. Make sure that you have imported all issuers certificate along with your TP's cert in the wallet. Moreover, check that all the certs (TP cert and it's issuer cert's) are valid in terms of dates. You can see the "Certificate status" in "Certification Path" tab of certificate.
    Please provide the certificate chain details here along with list of certs in wallet (you may mail it to my id as well - [email protected])
    Regards,
    Anuj

  • Punchout problem.  CertificateException: Untrusted Cert Chain.

    Hi all
    I hope this is an appropriate forum. I am a developer at a company who has a web site that customers interact with via punchout. I developed the system some time ago. It has nothing to do with Oracle but we have a punchout customer who is converting from Ariba to Oracle. I guess I'm looking for any advice on what to do or what to tell the customer to help solve this problem. They seem to have run out of ideas.
    Everything works well when they send a PunchoutSetupRequest cXML request but when they try to send an OrderRequest they get the following SSL error.
    .apps.ecx.oxta.ConnectionFailureException: Connection failure resulting
    from: javax.net.ssl.SSLHandshakeException:
    java.security.cert.CertificateException: Untrusted Cert Chain
    They're asking me whether am I handling the two types of requests differently but that question makes no sense at this level because it's the same https URL. I have no way of even knowing what type of cXML request is coming until the SSL handshake has succeeded.
    We're running Microsoft IIS. Our SSL certificate has a cert chain back to Equifax. It works on all major browsers, Ariba and their Oracle PunchoutSetup request. I got them to try it with a browser and the SSL worked without error. I can see in my web log that they accessed it using Internet Explorer. I assume that the Oracle system is not running Windows so accessing it with Internet Explorer from a Windows machine might not have been very helpful.
    They say to me that "it's the same site, same server" for the two types of documents. I assume they mean it's the same https client but how can that be true if the SSL succeeds on one type of document but fails on another?
    I've just noticed that the UserAgent is different for the two requests. For PunchoutSetupRequest it's "Oracle iProcurement" but for OrderRequest it's "Oracle E-Business Suite Oracle Purchasing 11.5.9.". Does that mean they are different https clients? I only know the OrderRequest UserAgent because they emailed me an error message which included the cXML.
    I know nothing about Oracle but it seems to me that someone at our customer site needs to do the equivalent of "Accept this certificate" which you can do with a browser assuming that they trust us. At one point they got me to send our certificate so I visited our site with a browser and exported the cert and sent it to them which they could have done themselves. It's not clear to me what they did with it but, coincidentally perhaps, the PunchoutSetupRequest also failed the SSL handshake until I sent them that.
    The only solution may be for us to buy a different (more expensive) certificate but that seems unnecessary to me and they've been unable to answer my question "what signing authorities do you accept". I've been able to look at a couple of their other suppliers and their public sites use certs from GTE CyberTrust so I suspect their punchout site uses the same.
    Any ideas or suggests would be appreciated.
    Thanks

    Hi,
    Similar error is reported in the following documents, please see if it helps.
    Note: 167474.1 - Oracle XML Gateway Troubleshooting Guide
    Note: 152775.1 - Installing Oracle XML Gateway and Oracle Workflow with Oracle Applications 11i
    Regards,
    Hussein

  • Certificate validation against multiple certificate chain

    Hello everyone,
    I would like to have your opinion on a specific use case of the java.security.cert API.
    I've a set of trusted certificate chains provided in a trusted way by a CA. An example of a chain would be: R->I1->I2, R being a root certificate and I1/I2 being intermediates CAs.
    I receive messages from some untrusted sources. These message are signed using some end-user certificate, let's call it U. The certificate U is only transmitted along the message (ie. it's not available from a trusted source).
    Verifying the validity of the signed message is therefore a two step process:
    - Check that the signature made by U is valid.
    - Check that a valid certificate path could be build from U (querying a CRL if needed) back to a trusted anchor, such as R->I1->I2->U.
    Now, my question is, how to efficiently achieve the latter one with the java.security.cert API?
    The most straightforward way i've found so far to validate a certificate against a set of certificate chain is to use the CertPathBuilder interface:
    1) I build a CertStore (of type "Collection") with all my trusted certificate chain in it.
    2) I add the received U certificate to the store.
    3) I try to build a certificate path specifying "U" as the target certificate in the search constraints (X509CertSelector).
    If the algorithm find a valid path, it returns it, and U could possibly be kept in the store for future use.
    If no valid path could be deduced, U is removed from the store, and a corresponding error is returned.
    This sounds like a good way of doing ?
    All suggestions are most welcome,
    Thanks,
    M. H.

    Ok, I think I've found my solution.
    Actually, if you specify a target certificate using the X509CertSelector.setCertificate methode, the said certificate don't have to be in a CertStore in order to perform the validation:
    // the 'store' variable contains only the trusted certificate chains.
    CertStore store = CertStore.getInstance("Collection",
              new CollectionCertStoreParameters(certCol));
    CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
    X509CertSelector targetConstraints = new X509CertSelector();
    targetConstraints.setCertificate(userCertificate);
    PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, targetConstraints);
    params.addCertStore(store);
    /* params.setRevocationEnabled(false); */ // If needed.
    PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) cpb.build(params);
    CertPath path = result.getCertPath();This is it, on validation, the "path" variable will contains the complete certificate chain including the tested certificate.
    I've still a problem with OCSP validations though, but i'll create a new topic for that...
    Thank you for your time, ejp,
    ++
    Edited by: marc_h on May 14, 2010 5:54 AM

  • SUN Java System Web Server 7.0U1 How to install certificate chain

    I am trying to install a certificate chain using the SUN Java Web Server 7.0U1 HTTPS User interface. What I have tried so far:
    1. Created a single file using vi editor containing the four certificates in the chain by cutting an pasting each certificate (Begin Certificate ... End Certificate) where the top certificate is the server cert (associated with the private key), then the CA that signed the server cert, then the next CA, then the root CA. Call this file cert_chain.pem
    2. Go to Certificates Tab/Server Certificates
    3. Choose Install
    4. Cut and paste contents of cert_chain.pem in the certificate data box.
    5. Assign to httplistener
    6. Nickname for this chain is 'server_cert'
    7. Select httplistener and assign server_cert (for some reason, this is not automatically done after doing step 5).
    8. No errors are received.
    When I display server_cert (by clicking on it), only the first certificate of the chain is displayed and only that cert is provided to the client during the SSL handshake.
    I tried to do the same, except using the Certificate Authority Tab, since this gave the option of designating the certificate as a CA or chain during installation. When I select ed "chain," I get the same results when I review the certificate (only the first cert in the file is displayed). This tells me that entering the chain in PEM format is not acceptable. I tried this method since it worked fine with the F5 BIG-IP SSL appliance.
    My question is what format/tool do I need to use to create a certificate chain that the Web Server will accept?

    turrie wrote:
    1. Created a single file using vi editor containing the four certificates in the chain by cutting an pasting each certificate (Begin Certificate ... End Certificate) where the top certificate is the server cert (associated with the private key), then the CA that signed the server cert, then the next CA, then the root CA. Call this file cert_chain.pemIn my opinion (I may be wrong) cut and pasting multiple begin end
    --- BEGIN CERTIFICATE ---
    ... some data....
    --- END CERTIFICATE ---
    --- BEGIN CERTIFICATE ---
    ... some data....
    --- END CERTIFICATE ---is NOT the way to create a certificate chain.
    I have installed a certificated chain (it had 1 BEGIN CERTIFICATE and one END CERTIFICATE only and still had 2 certificates) and I used the same steps as you mentioned and it installed both the certificates.
    some links :
    [https://developer.mozilla.org/en/NSS_Certificate_Download_Specification|https://developer.mozilla.org/en/NSS_Certificate_Download_Specification]
    [https://wiki.mozilla.org/CA:Certificate_Download_Specification|https://wiki.mozilla.org/CA:Certificate_Download_Specification]

  • TMG - 0x80090325 -Certificate Chain was issued by an authority that is not trusted

    Hello,
    I am having some problems with testing a OWA (SSL) rule. I get that message.
    The TMG belongs to the domain and therefore as far as I know it gets the root certificate of my CA (I have deployed a Enterprise CA for my domain).
    That is why I don't understand the message: "...that is not trusted."
    The exact message:
    Testing https://mail.mydomain.eu/owa
    Category: Destination server certificate error
    Error details: 0x80090325 - The certificate chain was issued by an authority that is not trusted
    Thanks in advance!
    Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)

    Thanks Keith for your reply and apologies for the delay in my answer.
    I coud not wait and I reinstalled the whole machine (W28k R2 + TMG 2010) . I suppose I am still a bad troubleshooter, I have experience setting up ISA, TMG, PKI, Active directory but to a certain extent.
    1. Yes, I saw it when hitting the button "Test Rule" in the Publising rule in the TMG machine.
    2. No, it did not work in this implementation but it has worked in others, this is not difficult to set up, until now, hehe.
    3. You said: "...If you are seeing it when running "Test Rule" then it simply means that TMG does not trust something about the certificate that is on your Exchange Server...."
    But the certificates are auto-enrolled, and when I saw the details of the certificates they all are "valid" , there is a "valid" message.
    4. You wrote: "...Easiest way see everything is create an access rule that allows traffic from the LocalHost of TMG to the CAS and open up a web browser. Does the web browser complain?..."
    But as I said, I re-installed the whole thing because nobody jumped in here , and I needed to move forward, I hope you understand.
    5. S Guna kindly proposed this:
    If you are using internal CA,
    You need to import the Root CA certificate to TMG servers.
    Import Private Key of the certificate to Server personal
    Create a Exchange publishing Rule and Point the lisitner to the Correct certificate.
    Since you are using internal CA, You need to import the Root CA certificate to all the client browers from where you are accessing OWA
    But I think I do not have to perform any of those tasks, although I am not an expert but have worked with Certificate for one year or so.
    Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)

  • "The certificate chain was issued by an authority that is not trusted" when migrating to SQL 2012

    Environment:
    1 Primary Site (USSCCM-Site.domain.com)
    1 CAS (USSCCM-CAS.domain.com)
    SQL 2008 R2 (USSCCM-CAS.domain.com)
    SQL 2012 SP1 CU6 (USSQL12.domain.com)
    Issue:
    We were successfully able to migrate the CAS to the new SQL 2012 server, almost without incident. When attempting to migrate the Site instance however, we are getting errors. Screenshot below.
    Attached is a copy of the log. But below is a highlight of what I think are the errors… It appears that either SQL or SCCM doesn’t like a certificate somewhere, but it is contradicting because the logs say that it has successfully tested connection to SQL.
    I am lost.
    Logs stating it can connect successfully to SQL
    Machine certificate has been created successfully on server USSQL12.domain.com.        Configuration Manager Setup                10/21/2013 10:20:10
    AM               2100 (0x0834)
    Deinstalled service SMS_SERVER_BOOTSTRAP_USSCCM-Site.domain.com_SMS_SQL_SERVER on USSQL12.domain.com.  Configuration Manager Setup    10/21/2013 10:20:10 AM              
    2100 (0x0834)
    SQL Server instance [sccmsite] is already running under the certificate with thumbprint[f671be844bf39dec7e7fdd725dc30e225991f28a].       Configuration Manager Setup    10/21/2013 10:20:10 AM        
    2100 (0x0834)
    INFO: Testing SQL Server [USSQL12.domain.com] connection ...                Configuration Manager Setup    10/21/2013 10:20:10 AM      
    2100 (0x0834)
    INFO: SQL Connection succeeded. Connection: USSQL12.domain.com SCCMSITE\MASTER, Type: Unsecure                Configuration Manager Setup    10/21/2013 10:20:10 AM              
    2100 (0x0834)
    INFO: Tested SQL Server [USSQL12.domain.com] connection successfully.  Any preceding SQL connection errors may be safely ignored.            Configuration Manager Setup    10/21/2013
    10:20:10 AM               2100 (0x0834)
    INFO: Certificate: 308202FC308201E4A003020102021011BA47041BB0609D4097BC19F5AB96B5300D06092A864886F70D01010B0500301D311B301906035504031312555353514C31322E7063756265642E636F6D3020170D3133313031373139343632345A180F32313133303932343139343632345A301D311B301906035504031312555353514C31322E7063756265642E636F6D30820122300D06092A864886F70D01010105000382010F003082010A0282010100CFAC23CEA8920051C8C24DF4E96D76D9E034931867C4DBF74F8AE863C5BDE6D1EAEAAF363F6B97DEF1D7A1FC292CB870F353D72F04472EBE3D31DCA009BD3F8C58E2AAB69C892C20598306537F5EEAA43FA6DE55D4A784CEB6FD07486AB2CC2DE1A8651648EBC31A5CD918E8ED6E184FC560B3A8B0F76F83E310BBA8C4EB27F46707E3A6377D8DD06C6808146E407EF9DB464F453798B6C1748216665884A7F2CDE03D9DA1CB4E59E67516E4F345755E35450F84F4B039642851EFFA96B22D8E77EC11C01D389989F740923B58799E34FC8F4F19CD55830FA7E786C993A08A1EEDCA87F209268CE9D5E86AC9E2A14668207721D94ACE9FACE3AA55B53507F6BF0203010001A3363034301D0603551D11041630148212555353514C31322E7063756265642E636F6D30130603551D25040C300A06082B06010505070301300D06092A864886F70D01010B05000382010100A0E33BF490B60C2B8A73BF7FA90EBB69D92DA27B439EF0569650F388EBA34B9F382CEF52DAAB543C2924E1B8DC7BEE828FB0C276330B0FF67340CBFA0CC24F47431E5272DC76C7610C290A04411036441E9822FBF8AB52B4BBE43F5FF48074BA420FF690A94D53AFCEF7AC75E2D2723520A9EF64AF06759814AE92D41CEA2F0D6CC8D9E5DEF121234F5DD97A7E886BE55F57DC0B79052A554724E8A0146C08A74AE75672FBD8C8BD6B7FCA82C1CC69906A45128CDDD1BC3985ED9603C16E712FFBAA8AA6878F853367F3E1F69E727DB96864DF6B47EBDA82659036EC82A8B04E77535CEA314D7518D02C401969C77B91C8C210C57AA991A622D679B994AEED3C               
    Configuration Manager Setup    10/21/2013 10:20:10 AM               2100 (0x0834)
    INFO: Created SQL Server machine certificate for Server [USSQL12.domain.com] successfully.    Configuration Manager Setup 10/21/2013 10:20:10 AM               2100 (0x0834)
    INFO: Configuration Manager Setup - Application Shutdown       Configuration Manager Setup    10/21/2013 10:20:10 AM         2100 (0x0834)
    INFO: Running SQL Server test query.    Configuration Manager Setup    10/21/2013 10:20:10 AM               2100 (0x0834)
    INFO: SQL Connection succeeded. Connection: USSQL12.domain.com SCCMSITE\MASTER, Type: Secure                Configuration Manager Setup    10/21/2013 10:20:10 AM              
    2100 (0x0834)
    INFO: SQL Server Test query succeeded.              Configuration Manager Setup    10/21/2013 10:20:10 AM              
    2100 (0x0834)
    INFO: SQLInstance Name: sccmsite         Configuration Manager Setup    10/21/2013 10:20:10 AM               2100 (0x0834)
    INFO: SQL Server version detected is 11.0, 11.0.3381.0 (SP1).      Configuration Manager Setup    10/21/2013 10:20:10 AM         2100 (0x0834)
    Logs saying certificate is not trusted
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.        Configuration Manager Setup   
    10/21/2013 10:20:49 AM                2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection                Configuration Manager Setup    10/21/2013 10:20:49
    AM               2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection         Configuration Manager Setup    10/21/2013 10:20:49 AM              
    2100 (0x0834)
    *** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS.    Configuration Manager Setup                10/21/2013 10:20:49 AM              
    2100 (0x0834)
    INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure         Configuration Manager Setup                10/21/2013 10:20:49
    AM               2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup    10/21/2013 10:20:52 AM              
    2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.        Configuration Manager Setup   
    10/21/2013 10:20:52 AM                2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection                Configuration Manager Setup    10/21/2013 10:20:52
    AM               2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection         Configuration Manager Setup    10/21/2013 10:20:52 AM              
    2100 (0x0834)
    *** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS.    Configuration Manager Setup                10/21/2013 10:20:52 AM              
    2100 (0x0834)
    INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure         Configuration Manager Setup                10/21/2013 10:20:52
    AM               2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup    10/21/2013 10:20:55 AM              
    2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.        Configuration Manager Setup   
    10/21/2013 10:20:55 AM                2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection                Configuration Manager Setup    10/21/2013 10:20:55
    AM               2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection         Configuration Manager Setup    10/21/2013 10:20:55 AM              
    2100 (0x0834)
    *** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS.    Configuration Manager Setup                10/21/2013 10:20:55 AM              
    2100 (0x0834)
    INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure         Configuration Manager Setup                10/21/2013 10:20:55
    AM               2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup    10/21/2013 10:20:58 AM              
    2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.        Configuration Manager Setup   
    10/21/2013 10:20:58 AM                2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection                Configuration Manager Setup    10/21/2013 10:20:58
    AM               2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection         Configuration Manager Setup    10/21/2013 10:20:58 AM              
    2100 (0x0834)
    *** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS.    Configuration Manager Setup                10/21/2013 10:20:58 AM              
    2100 (0x0834)
    INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure         Configuration Manager Setup                10/21/2013 10:20:58
    AM               2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup    10/21/2013 10:21:01 AM              
    2100 (0x0834)
    More logs saying cert is not trusted
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup    10/21/2013 10:21:20 AM              
    2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.        Configuration Manager Setup   
    10/21/2013 10:21:20 AM                2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection                Configuration Manager Setup    10/21/2013 10:21:20
    AM               2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection         Configuration Manager Setup    10/21/2013 10:21:20 AM              
    2100 (0x0834)
    *** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS.    Configuration Manager Setup                10/21/2013 10:21:20 AM              
    2100 (0x0834)
    INFO: Updated the site control information on the SQL Server USSQL12.domain.com.    Configuration Manager Setup                10/21/2013 10:21:39 AM              
    2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup    10/21/2013 10:21:39 AM              
    2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.        Configuration Manager Setup   
    10/21/2013 10:21:39 AM                2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection                Configuration Manager Setup    10/21/2013 10:21:39
    AM               2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection         Configuration Manager Setup    10/21/2013 10:21:39 AM              
    2100 (0x0834)
    *** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS.    Configuration Manager Setup                10/21/2013 10:21:39 AM              
    2100 (0x0834)
    CSiteSettings::WriteActualSCFToDatabase: Failed to get SQL connection                Configuration Manager Setup               
    10/21/2013 10:21:39 AM               2100 (0x0834)
    CSiteSettings::WriteActualSCFToDatabaseForNewSite: WriteActualSCFToDatabase(USA) returns 0x87D20002                Configuration Manager Setup    10/21/2013 10:21:39
    AM               2100 (0x0834)
    ERROR: Failed to insert the recovery site control image to the parent database. Configuration Manager Setup                10/21/2013 10:21:39 AM              
    2100 (0x0834)
    Troubleshooting:
    I have read on a few articles of other people having this issue that states to find the certificate on SQL 2012 that’s being used and export it to the SCCM server – which I’ve done.
    http://damianflynn.com/2012/08/22/sccm-2012-and-sql-certificates/
    http://trevorsullivan.net/2013/05/16/configmgr-2012-sp1-remote-sql-connectivity-problem/
    http://scug.be/sccm/2012/09/19/configmgr-2012-rtm-sp1-and-remote-management-points-not-healthy-when-running-configmgr-db-on-a-sql-cluster/
    -Brad

    Hi,
    How about importing certificate in the personal folder under SQL server computer account into SCCM server computer account or SCCM server service account? That certificate is for SQL Server Identification. And you could
    set the value of the ForceEncryption option to NO. (SQL Server Configuration Manager->SQL Server Network Configuration->
    Protocols for <server instance>->Properties)
    Best Regards,
    Joyce Li
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Hybrid Connection fails for Windows SQL Server 2014 - SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted

    Hello,
    I have configured BizTalk Services Hybrid Connection between Standard Azure Website and SQL Server 2014 on premise.
    Azure Management portal shows the status of Hybrid Connection as established.
    However, the website throws an error when trying to open a connection
    <
    addname="DefaultConnection"
    connectionString="Data
    Source=machine name;initial catalog=AdventureWorks2012;Uid=demouser;Password=[my password];MultipleActiveResultSets=True"
    providerName="System.Data.SqlClient"
    />
    (The same website, with the same connection string deployed on SQL Server machine works correctly).
    I tried various options with the connections sting (IP address instead of machine name, Trusted_Connection=False, Encrypt=False, etc. the result is the same
    [Win32Exception (0x80004005): The certificate chain was issued by an authority that is not trusted]
    [SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.
    I tried various machines - on premise and a clean Azure VM with SQL Server and it results in the same error - below full stack
    The certificate chain was issued by an authority that is not trusted             
    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.            
    Exception Details: System.ComponentModel.Win32Exception: The certificate chain was issued by an authority that is not trusted
    Source Error:
    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.                  
    Stack Trace:
    [Win32Exception (0x80004005): The certificate chain was issued by an authority that is not trusted]
    [SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)]
    System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) +5341687
    System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) +546
    System.Data.SqlClient.TdsParserStateObject.SNIWritePacket(SNIHandle handle, SNIPacket packet, UInt32& sniError, Boolean canAccumulate, Boolean callerHasConnectionLock) +5348371
    System.Data.SqlClient.TdsParserStateObject.WriteSni(Boolean canAccumulate) +91
    System.Data.SqlClient.TdsParserStateObject.WritePacket(Byte flushMode, Boolean canAccumulate) +331
    System.Data.SqlClient.TdsParser.TdsLogin(SqlLogin rec, FeatureExtension requestedFeatures, SessionData recoverySessionData) +2109
    System.Data.SqlClient.SqlInternalConnectionTds.Login(ServerInfo server, TimeoutTimer timeout, String newPassword, SecureString newSecurePassword) +347
    System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean ignoreSniOpenTimeout, TimeoutTimer timeout, Boolean withFailover) +238
    System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString connectionOptions, SqlCredential credential, TimeoutTimer timeout) +892
    System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(TimeoutTimer timeout, SqlConnectionString connectionOptions, SqlCredential credential, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance) +311
    System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData) +646
    System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions) +278
    System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnectionPool pool, DbConnection owningObject, DbConnectionOptions options, DbConnectionPoolKey poolKey, DbConnectionOptions userOptions) +38
    System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) +732
    System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) +85
    System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection) +1057
    System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection) +78
    System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection) +196
    System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions) +146
    System.Data.ProviderBase.DbConnectionClosed.TryOpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions) +16
    System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource`1 retry) +94
    System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1 retry) +110
    System.Data.SqlClient.SqlConnection.Open() +96
    System.Data.EntityClient.EntityConnection.OpenStoreConnectionIf(Boolean openCondition, DbConnection storeConnectionToOpen, DbConnection originalConnection, String exceptionCode, String attemptedOperation, Boolean& closeStoreConnectionOnFailure) +44
    [EntityException: The underlying provider failed on Open.]
    System.Data.EntityClient.EntityConnection.OpenStoreConnectionIf(Boolean openCondition, DbConnection storeConnectionToOpen, DbConnection originalConnection, String exceptionCode, String attemptedOperation, Boolean& closeStoreConnectionOnFailure) +203
    System.Data.EntityClient.EntityConnection.Open() +104
    System.Data.Objects.ObjectContext.EnsureConnection() +75
    System.Data.Objects.ObjectQuery`1.GetResults(Nullable`1 forMergeOption) +41
    System.Data.Objects.ObjectQuery`1.System.Collections.Generic.IEnumerable<T>.GetEnumerator() +36
    System.Collections.Generic.List`1..ctor(IEnumerable`1 collection) +369
    System.Linq.Enumerable.ToList(IEnumerable`1 source) +58
    CloudShop.Services.ProductsRepository.GetProducts() +216
    CloudShop.Controllers.HomeController.Search(String SearchCriteria) +81
    CloudShop.Controllers.HomeController.Index() +1130
    lambda_method(Closure , ControllerBase , Object[] ) +62
    System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) +14
    System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters) +193
    System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +27
    System.Web.Mvc.Async.<>c__DisplayClass42.<BeginInvokeSynchronousActionMethod>b__41() +28
    System.Web.Mvc.Async.<>c__DisplayClass8`1.<BeginSynchronous>b__7(IAsyncResult _) +10
    System.Web.Mvc.Async.WrappedAsyncResult`1.End() +50
    System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +32
    System.Web.Mvc.Async.<>c__DisplayClass39.<BeginInvokeActionMethodWithFilters>b__33() +58
    System.Web.Mvc.Async.<>c__DisplayClass4f.<InvokeActionMethodFilterAsynchronously>b__49() +225
    System.Web.Mvc.Async.<>c__DisplayClass37.<BeginInvokeActionMethodWithFilters>b__36(IAsyncResult asyncResult) +10
    System.Web.Mvc.Async.WrappedAsyncResult`1.End() +50
    System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +34
    System.Web.Mvc.Async.<>c__DisplayClass2a.<BeginInvokeAction>b__20() +23
    System.Web.Mvc.Async.<>c__DisplayClass25.<BeginInvokeAction>b__22(IAsyncResult asyncResult) +99
    System.Web.Mvc.Async.WrappedAsyncResult`1.End() +50
    System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +27
    System.Web.Mvc.<>c__DisplayClass1d.<BeginExecuteCore>b__18(IAsyncResult asyncResult) +14
    System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
    System.Web.Mvc.Async.WrappedAsyncResult`1.End() +55
    System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +39
    System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
    System.Web.Mvc.Async.WrappedAsyncResult`1.End() +55
    System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +29
    System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +10
    System.Web.Mvc.<>c__DisplayClass8.<BeginProcessRequest>b__3(IAsyncResult asyncResult) +25
    System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
    System.Web.Mvc.Async.WrappedAsyncResult`1.End() +55
    System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +31
    System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
    System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +9651188
    System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155
    Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.36213            
    Regards,
    Michal
    Michal Morciniec

    Same issue here, looking for more information !

  • TMG Error code 500 Certificate chain was issued by an authority that is not trusted

    Hello colleagues
    I have site https://site.domain.ru:9510/pmpsvc
    In site work: http://imgur.com/2cQ6vlF
    I publish this site through TMG 2010, but I have error:
    500 Internal Server Error. The certificate chain was issued by an authority that is not trusted (-2146893019).
    On TMG server via MMC I imported certificate to:
    http://imgur.com/eYqjrQg and reboot TMG server, but problem is not solved.
    Maybe someone solved this problem?
    Thanks.

    This is because your certificate is unable to reach CA to verify the certificate
    Ensure your TMG can reach the certificate authority
    Import Root CA certificate to Trusted Root certificate authority in CertMGR
    If you are using intermediate CA then import the intermediate CA certificate to intermediate CA in certmgr
    Thanks, but I use certificate "*.domain.ru" and another https sites without port 9510 works fine. Maybe problem with site on TMG because problem with certificate on web-server (about Certificate error) -
    http://imgur.com/2cQ6vlF ??

  • Error code 265: The certificate chain was issued by an authority that is not trusted.

    We are in the process of trying to set up a wireless network that uses NPS servers to authenticate domain users with computers that are not on our domain (BYOD).
    We are using a valid, wildcard SSL (with intermediate certificates) to authenticate via PEAP.  The certificate was issued by Godaddy.
    When trying to connect, we are getting the authentication request.
    The result of a connection attempt is no connection with an event log error code of - “265: The certificate chain was issued by an authority that is not trusted.”
    We have tried ensuring that the certificates are in the correct containers on the respective NPS servers: “Certificates\Personal\Certificates” With the intermediate certificates located: “Certificates/Intermediate Certification Authorities”
    All these attempts have proven fruitless.  Any assistance or direction would be very much appreciated.

    Hi,
    Do you import the intermediate certificate in the right account? It should be imported in the Computer Account.
    Have you imported the intermediate certificate in your client? Client need it to validate the certificate of your NPS server.
    Here is a similar thread in which Greg has explained this issue in detail.
    http://social.technet.microsoft.com/Forums/en-US/b770fcf6-d1e9-4aac-9005-62cb5ff6d485/the-certificate-chain-was-issued-by-an-authority-that-is-not-trusted?forum=winserverNAP
    Hope this helps.
    Steven Lee
    TechNet Community Support

  • Adobe Air Apps for OS X: Unable to build a valid certificate chain for the signer. // Code Signing on OS X 10.10 Yosemite

    Hi,
    I created several OS X Apps using Adobe Air. That worked quite well before. Now I have do update my OS X Apps - therefore I also needed update my certificates. [ I'm using Flash CC 2014 on OS X Yosemite 10.10 ]. But whatever I do it doesn’t work anymore. I always get this Message saying:
    Unable to build a valid certificate chain for the signer.
    I googled a lot and the only "guide" I found is this post (from April 2013) about code singing - http://scottgaertner.com/code_signing/
    I’m not used to deal with this kind of stuff (CA etc.) - so it's quite confusing to me.
    Would anybody please be so kind and tell me what I have to do?
    Is there any instruction from Adobe? (I didn't find one yet) 
    A step by step instruction for absolute dummies would be great!
    Best regards and thank you in advance
    Jan

    Hi Mukesh,
    I installed the Flash CC 2014 update and added some Certificates from Apple to my Keychain. Now EVERYTHING works fine again!! :-)
    Thank you very much for the Update! :-) Good job!
    Best regards
    Jan

  • Error message generating Adobe Air output Unable to build a valid certificate chain for the signer

    error message generating Adobe Air Output: Unable to build a valid certificate chain for the signer.

    Are you talking about AIR Help produced by RoboHelp or an AIR application that you are creating?
    If the latter, please see the notice at http://forums.adobe.com/community/robohelp/airhelp
    If you are using RoboHelp, which version?
    See www.grainge.org for RoboHelp and Authoring tips
    @petergrainge

  • How to get the Server Certificate Chain File?

    Hi all,
    I config the SSL for weblogic 6.0 on a Win2k Machine .I followed WebLogic
    documentation:
    Generate a private key file, then submit to Verisign, get the certificate
    file.
    Because I have only one WebLogic server. I clear the "Server Certificate
    Chain File" field.
    But I get error message after reboot WebLogic. Following is the error
    message:
    <2001-1-21 04:57:56 pm> <Alert> <WebLogicServer> <Inconsistent security con
    figuration, java.lang.Exception: Required file server-certchain.pem which is
    spe
    cified by ServerCertificateChainFileName, was not found>
    java.lang.Exception: Required file server-certchain.pem which is specified
    by Se
    rverCertificateChainFileName, was not found
    at
    weblogic.t3.srvr.SSLListenThread.resolvePropertyFromLocalFile(SSLList
    enThread.java:152)
    at
    weblogic.t3.srvr.SSLListenThread.resolvePropertyFromAdminServer(SSLLi
    stenThread.java:180)
    at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:425)
    at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
    at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:939)
    at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
    at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
    at weblogic.Server.main(Server.java:35)
    My question is: Should I input the rootCA certificate into the Server
    Certificate Chain File field? If yes, where can I get the rootCA certificate
    file?
    Thanks

    [sorry, deleted irrelevant wrong answer]

Maybe you are looking for

  • HP ENVY 17-2080en Notebook PC / Just Disappointment :(

    Hi Everyone; On 03/03/2012 I bought an hp laptop. I bought this laptop I've had constant problems since. Products from the constant sound of the CPU fan comes and shuts off overheat product. To rectify this problem 3 times I sent the product to HP se

  • My bb 9860 wont turn on!!

    Ive had my new torch for almost two months. It was working normally until two days ago when I woke up to a dead blackberry.  It just wont turn on, just kept gettin the red led on. I took it back and was told that this is happening a lot to this new b

  • Crackling noises in Audacity and Rezound, but not in players

    I have a new Asus W5A laptop with an intel hda sound card. I have compiled the 2.6.13-git6 kernel with support for this card, and it works quite well. But when I play a sound file in Audacity I get a crackling sound almost like an old vinyl record, t

  • Graphical component for date??

    is there any graphical component enable user to select a date (day,mounth,year)? thanks in advance

  • Suggested max number of images for a PSE10 Catalog?

    Hello, I have a catalog that I currently have over 132K images in. I would like to keep all the images in the same catalog as I want to be able to easily search for pictures I want. Is there  a specific limit or suggested not to exceed number of obje