cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSL, STRUST, Chain of certificates is incomplete, OU=Equifax

Former Member

on ‎12-11-2012 3:00 PM

0 Kudos

Hi,

after spending so much time on solving my SSL problem, I´m struggled . I´ve already looked for proper posts in the forum. Unfortunately, all similar post didn´t help to solve the problem.

I want to connect to accounts.google.com by SSL. I´ve added all the certificates in STRUST in different combinations (DFAULT, ANONYM), but the result is always the same:

"chain of certificates is incomplete : "OU=Equifax Secure Certificate Authority, O=E..."

I´ve also exported the root CA to the database and the two CAs to the ANONYM PSE. It makes no difference if I add the Equifax CA to the CA list or not.

Maybe someone had the same problem and can give me a hint.

Best regards

Seb

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎12-11-2012 3:07 PM
0 Kudos

Could you please provide icm trace - Tx - smicm .

I assume that you are using type http rfc - could you please let me know which pse you are using in it.

Show replies
Show replies
Former Member
‎12-11-2012 3:13 PM
0 Kudos

Basis 7.01, SP 6

I use SAPSSLA.pse and added the three certificates to the list:

OU=Equifax Secure Certificate Authority, O=Equifax, C=US

CN=Google Internet Authority, O=Google Inc, C=US

CN=accounts.google.com, O=Google Inc, L=Mountain View, SP=California, C=US

[Thr 3228] SecudeSSL_SessionStart: SSL_connect() failed

  secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

[Thr 3228] >>            Begin of Secude-SSL Errorstack            >>

[Thr 3228] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed #

ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : "OU=Equifax Secure Certificate Authority, O=E

ERROR in get_path: (24/0x0018) Can't get path because the chain of certificates is incomplete #

[Thr 3228] <<            End of Secude-SSL Errorstack

[Thr 3228]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 3228]   No certificate request received from Server

[Thr 3228] <<- ERROR: SapSSLSessionStart(sssl_hdl=000000001E744FC0)==SSSLERR_SSL_CONNECT

Former Member
‎12-11-2012 3:24 PM
0 Kudos

I think you need to use ssl client pse (sapsslc.pse) and maintain the certificates in it , could you give a try there.

one reason of certificate chain getting failed could be because root of your certificate is not recognize by server.

Former Member
‎12-11-2012 3:35 PM
0 Kudos

At first, thanks for your help!!

I switch to ssl client pse and I´m getting the same result.

The root CA is what I´ve downloaded from the CA chain in the browser.

tobias_winterhalter
Employee
Employee
‎12-11-2012 4:03 PM
0 Kudos

Hi Sebastian,

The client PSE should be the right one. Don't forget to restart ICM after each change of a PSE with STRUST. Otherwise the change will not take effect!

Only starting with NW7 EHP2, STRUST will notify ICM automatically, and a restart of ICM is no longer necessary.

Best,

Tobias

Former Member
‎12-11-2012 4:06 PM
0 Kudos

Hi Tobias,

thanks to you, too!!

I´ve restarted the ICM after each change, but nothing changed 😞

BR

Seb

tobias_winterhalter
Employee
Employee
‎12-11-2012 5:23 PM
0 Kudos

Hi Seb,

When you open STRUST and double click on SSL client Standard: do you see the Equifax certificate in the Certificate List?

Tobias

Former Member
‎12-12-2012 9:17 AM
0 Kudos
Hallo Tobias,  the certificate is listed in the SSL client standard PSE. This is what I don't understand. Everything seems to be correct, but the system won't complete the SSL CA chain..  Best regards Seb
Ask a Question