cancel
Showing results for 
Search instead for 
Did you mean: 

SSLCertificateException: Peer certificate rejected by ChainVerifier

Former Member
0 Kudos

I'm using PI 7.0, and trying to send a message using the SOAP adapter. I'm getting the "SSLCertificateException: Peer certificate rejected by ChainVerifier" error, so I downloaded the root certificate (Thawte Primary Root CA) and imported this into the TrustedCAs keystore of the Visual Administrator. I also restarted PI, just to be sure, but I keep getting this error.

What am I doing wrong here?

Accepted Solutions (1)

Accepted Solutions (1)

former_member184681
Active Contributor
0 Kudos

Hi,

Find many valuable inputs in this topic in this thread:

Also there are two SAP Notes that could potentially solve your problem:

Note 1577913 - PI SOAP receiver channel cannot connect over HTTPS

Note 1588148 - Trusted certificates for SOAP receiver channels

Hope this helps,

Greg

Former Member
0 Kudos

Hi Grzegorz,

Thanks for your reply. I tried note 1588148, but I still get the same error. Note 1577913 is only valid for PI 7.1 and up. The forum link you provided unfortunately holds no solution.

Answers (3)

Answers (3)

Former Member
0 Kudos

I switched to the Axis adapter, only to receive the error "Message processing failed. Cause: com.sap.engine.services.ejb.exceptions.BaseEJBException: Exception in method process."

baskar_gopalakrishnan2
Active Contributor
0 Kudos

If the certificate chain order is not as required, you will have issue even after you import the right certificate in the keystore. You might want to check caio cagnani's reply on this topic. You need to sequence your certificate -> immediate -> root accordingly. Please check this thread.

http://scn.sap.com/thread/1742295

http://wiki.sdn.sap.com/wiki/display/TechTSG/Peer+certificate+rejected+by+ChainVerifier

markangelo_dihiansan
Active Contributor
0 Kudos

Hello,

I hope Peter was able to solve the issue on that link. Anyways, can you add Thawte DV SSL CA in your Trusted CA and then try again?

Hope this helps,

Mark

Former Member
0 Kudos

I already tried that, but still no luck. I also deployed the solution in note 1507568.

Former Member
0 Kudos

Hi,

Please kindly check the following note:
#1296330 - Security Troubleshooting Guide For NetWeaver J2EE 640/700

There, please check the PDF attached there and look for that error:

"Signature decryption error:javax.crypto.BadPaddingException:Invalid
PKCS#1 padding:no leading zero!"

Thanks,

Atul.

Former Member
0 Kudos

Hi Atul,

I'm not trying to import a CSR response. I'm just using the SOAP receiver to send a message to a webservice using HTTPS.

markangelo_dihiansan
Active Contributor
0 Kudos

Hello Iddo,

Can you try installing the last certificate (bottom chain) into the service_ssl view? Can we see your configuration in the receiver comm channel?

Regards,

Mark

Former Member
0 Kudos

Hi,

In that case, have you gone through note:-

856597-FAQ: XI 3.0 / PI 7.0 / PI 7.1 SOAP Adapter

See the answers to the following questions:-

Q: I get the SSL handshaking error. I get some error when I call

my SSL web service.

Q: I cannot call an SSL web service requiring a client

certificate.

Do let us know if it helps.

Thanks,

Atul.

Former Member
0 Kudos

Hi Mark,

Sure. Here's my communication channel configuration:

Importing the last certificate to service_ssl fails:

I do see that the existing certificates in service_ssl (ssl-credentials and ssl-credentials-cert) are both expired.

markangelo_dihiansan
Active Contributor
0 Kudos

Hello,

In your receiver CC, certificate authentication should be checked. It will ask you which view you have installed the certificate. You can type the location manually or use the help button. If the end certificate is expired, you should tell the third party to renew the certificates and give them to you, otherwise, it will always fail when using HTTPs.

Regards,

Mark

Former Member
0 Kudos

It doesn't look like I need certification authentication: when I open the url (https://services.acc-cloud.nl) in my browser, I don't get a certificate authentication error.

The last certificate isn't expired, but Visual Admin won't let me import it.

Former Member
0 Kudos

I do see that the existing certificates in service_ssl (ssl-credentials and ssl-credentials-cert) are both expired. - Please ask the third party team to provide you the complete certificate chain, with all certificates in current period being currently valid and then re-import them in VA and then rerun your scenario.

Former Member
0 Kudos

Only PI's own certificates are expired:

PRIVATE KEY

      [ creationDate ]: Thu Oct 02 09:26:04 CEST 2003

      [ algorithm ]: RSA

      [ format ]: PKCS#8

      [ selfSigned ]:

            [ DN ]: CN=localhost

            [ issuerDN ]: CN=localhost

            [ validNotBefore ]: Thu Oct 02 09:25:00 CEST 2003

            [ validNotAfter ]: Sun Oct 02 09:25:00 CEST 2005

            [ signAlgorithm ]: md5WithRSAEncryption (1.2.840.113549.1.1.4)

            [ fingerprint ]: 5B:22:EA:C7:2E:C6:2C:3B:3E:F3:1F:B8:15:BC:B8:45

            [ subjectKeyIdentifier ]: ED:ED:02:AF:94:13:59:1C:42:E6:69:40:E5:80:DD:A4:E9:33:91:02

            [ publicKey ]:

                        [ algorithm ]: RSA

                        [ format ]: X.509

Former Member
0 Kudos

Some more information which I found in the JAVA logging:

additional info ssl_debug(1): Starting handshake (iSaSiLk 4.3)...

ssl_debug(1): Sending v3 client_hello message to services.acc-cloud.nl:443, requesting version 3.2...

ssl_debug(1): Received v3 server_hello handshake message.

ssl_debug(1): Server selected SSL version 3.1.

ssl_debug(1): Server created new session ...

ssl_debug(1): CipherSuite selected by server: SSL_RSA_WITH_RC4_128_MD5

ssl_debug(1): CompressionMethod selected by server: NULL

ssl_debug(1): Received certificate handshake message with server certificate.

ssl_debug(1): Server sent a 2048 bit RSA certificate, chain has 3 elements.

ssl_debug(1): ChainVerifier: Error verifying certificate chain: java.security.SignatureException: Signature decryption error: javax.crypto.BadPaddingException: Invalid PKCS#1 padding: no leading zero!

ssl_debug(1): Sending alert: Alert Fatal: bad certificate

ssl_debug(1): Shutting down SSL layer...

ssl_debug(1): SSLException while handshaking: Peer certificate rejected by ChainVerifier

former_member184681
Active Contributor
0 Kudos

Dear Iddo,

You might also want to have a look at this thread, it gives some solution: http://scn.sap.com/thread/1416509

Hope this helps,

Greg

Former Member
0 Kudos

Hi,

Please apply

1507568 - Latest update of ssl library in Java stack

Also please check the points below:-

1. The correct server certificate could not be present in the TrustedCA
keystore view of NWA. Please ensure you have done all the steps
described in the URL below:

Security Configuration at Message Level
http://help.sap.com/saphelp_nw70/helpdata/EN/ea/c91141e109ef6fe10000000a
1550b0/frameset.htm


2. The server certificate chain contains expired certificate. Check for
it (that was the cause for other customers as well) and if it's the case
renew it or extend the validation.


3. Some other customers have reported similar problem and mainly the
problem was that the certificate chain was not in correct
order. Basically the server certificate chain should be in order
Own->Intermedite->Root. To explain in detail, if your server certificate
is A which is issued by an intermediate CA B and then B's certificate is
issued by the C which is the root CA (having a self signed certificate).
Then your certificate chain contains 3 elements A->B->C. So you need to
have the right order of certificate in the chain. If the order is B
first followed by A followed by C, then the IAIK library used by PI
cannot verify the server as trusted. Please generate the certificate in
the right order and then import this certificate in the TrustedCA
keystore view and try again. Please take this third steps as the
principal one.

As a resource, you may need to create a new SSL Server key.
The requirement from SAP SSL client side is that the requested site has
to have certificate with CN equal to the requested site.  I mean if I
request URL X then the CN must be CN=X.

In other words, the CN of the certificate has to be equal to the URL in
the ftp request. This can be the IP address or the full name of the
host.

Request the url with the IP of the SSL Server and the certificate to be
with CN = IP of the server.
In any other case the SSL communication will not work.

Thanks,

Atul