cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Expired SSL Client Certificate - unknown source of error message

Go to solution
vaclav_nemec2
Explorer

on ‎02-27-2013 7:56 PM

0 Kudos

Hi,

I have troubles with renewing SSL Client Standard certificate, which is used for connection from SAP to external HTTPS.

I have generated new client SSL pse from P12 (validity 02/2015), uploaded to STRUST, restarted ICM. But when I call https page from SM59 (type G connection to HTTP), I can see in icm log alert regarding expired certificate. Old certificate expired 21/02/2013, but the messages are about 11/11/2012 (?).

I checked all entries in STRUST/STRUSTSSO2, no such expiration (11.11.2012) found in any certificate. I tried to delete all entries in STRUST and do everything from scratch, the message about expired certificate is still appearing. I have checked the SAPSSLC.pse, all certificates have validity for few next years.

Please, have you got any idea, where this validity could have its origin?

Thank you,
Vaclav


[Thr 140341408675600]    session uses PSE file "/usr/sap/MMM/DVEBMGS01/sec/SAPSSLC.pse"
[Thr 140341408675600] SecudeSSL_SessionStart: SSL_connect() failed
  secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
[Thr 140341408675600] >>            Begin of Secude-SSL Errorstack            >>
[Thr 140341408675600] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
ERROR in af_verify_Certificates: (101/0x0065) Certificate expired (notbefore=101112113412Z, notafter=121111113412Z, now=13022715
ERROR in af_check_validity_of_Certificate: (101/0x0065) Certificate expired (notbefore=101112113412Z, notafter=121111113412Z, no
[Thr 140341408675600] <<            End of Secude-SSL Errorstack
[Thr 140341408675600]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 140341408675600]   SSL NI-sock: local=172.20.2.140:41932  peer=195.113.95.45:4660
[Thr 140341408675600] <<- ERROR: SapSSLSessionStart(sssl_hdl=0xe42850)==SSSLERR_SSL_CONNECT
[Thr 140341408675600] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {0000004f} [icxxco

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

tobias_winterhalter
Employee
Employee
‎02-27-2013 8:19 PM
0 Kudos

Hi Vaclav,

The error message is related to the server's certificate, not the client certificate on SAP side. You could connect to the same URL with a Web Browser and then inspect the certificate which the server presents to the browser.

Regards,

Tobias

Show replies
Show replies
vaclav_nemec2
Explorer
‎02-27-2013 8:49 PM
0 Kudos

Hi Tobias,

thanks for your answer.

I have checked also server certificates in SAP and these are ok. When I connect to web page with browser (with the same client certificate imported) and I check the certificates there, everything seems to be fine too and I can connect. All validities are between 2015-20xx.

I tried to change web address in SM59 to "hostnamexxx", and I get still the same error - that's why I think the error is on SAP side and the connection doesn't start at all (seems to me).

Vaclav

tobias_winterhalter
Employee
Employee
‎02-27-2013 9:10 PM
0 Kudos

Hi Vaclav,

Are you connecting through an HTTPS proxy? In the error you previously posted, the peer is 195.113.95.45:4660. Is that the target of the SM59 destination, or is that a proxy? In the latter case, the issue might be with the proxy.

Regards,

Tobias

Former Member
‎02-28-2013 4:00 AM
0 Kudos

Hi,

Can you verify few things :

1. The SAPSSLC.pse has the CA(certification authority) response ?

2. did u try re-creating credentials for yourseld(sidadm) using sapgenpse ?

3. once the new certificates are imported, please try recycling sap (cleanipc, stop the sapstartsrv as well)

Thanks.

Jayesh

vaclav_nemec2
Explorer
‎02-28-2013 8:43 AM
0 Kudos

Hi Tobias,

the proxy is not used, it is direct connection.

Vaclav

vaclav_nemec2
Explorer
‎02-28-2013 9:00 AM
0 Kudos

Hi Jayesh,

I tried your proposals, but with no effect. Still strange expiration date appears.
Vaclav

Answers (2)

Answers (2)

vaclav_nemec2
Explorer
‎03-06-2013 8:30 AM
0 Kudos

Hi,

the issue is solved now. The problem was on the https page, to which we connect (It seems they have some kind of "cluster", on one server/IP the certificate was up-to-date, on other server/IP the certificate is out-of-date. After we forced the connection to specific=correct server, everything was fine.

Thanks to everybody for your hints!

Vaclav

Show replies
Show replies
former_member215981
Active Participant
‎03-04-2013 5:10 AM
0 Kudos

Hello,

you can refer to  sap note

Note 1094342 - ICM trace contains verification of the server's certificate

Regards,

Yong Luo

Show replies
Show replies
Ask a Question