cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ERROR GRC - Peer certificate rejected by ChainVerifier

former_member191980
Participant

on ‎01-09-2014 10:53 AM

0 Kudos

Hello experts. 
  
The error below occurs when we try to check the connection with SEFAZ (SP, MG and RJ):

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
- <!-- Mensagem de entrada
-->
- <SAP:Error SOAP:mustUnderstand="1"
xmlns:SAP="http://sap.com/xi/XI/Message/30"
xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
<SAP:Category>XIAdapterFramework</SAP:Category>
<SAP:Code area="MESSAGE">GENERAL</SAP:Code>
<SAP:P1 />
<SAP:P2 />
<SAP:P3 />
<SAP:P4 />

<SAP:AdditionalText>com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer
certificate rejected by ChainVerifier</SAP:AdditionalText>
<SAP:Stack />
<SAP:Retry>M</SAP:Retry>
</SAP:Error>

We already have made the steps below:

1) update the certificate

2) restart in the Java

3) check the firewall.

Thanks

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member191980
Participant
‎05-02-2014 2:57 AM
0 Kudos

Pessoal, boa noite,

Desculpe a demora em responder, estou colocando meu SCN em ordem.

O problema foi no firewall mesmo.

abraços

Juliano Diniz

Show replies
Show replies
Former Member
‎01-09-2014 11:28 AM
0 Kudos

Juliano.

Neste espaço você deve postar em português. Por favor reescreva a sua questão.

grato

Edaurdo Chagas


Show replies
Show replies
former_member191980
Participant
‎01-09-2014 11:39 AM
0 Kudos

Juliano Diniz                                    Jan 9, 2014 11:53 AM                               

Currently Being Moderated                   

Obrigado Eduardo.

Segue abaixo:
  
O erro abaixo está ocorrendo no nosso PI NFE de homologação, o GRC apresenta erros na tela de check de disponibilidade dos serviços do SEFAZ (SP, MG and RJ):

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
- <!-- Mensagem de entrada
-->
- <SAP:Error SOAP:mustUnderstand="1"
xmlns:SAP="http://sap.com/xi/XI/Message/30"
xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
<SAP:Category>XIAdapterFramework</SAP:Category>
<SAP:Code area="MESSAGE">GENERAL</SAP:Code>
<SAP:P1 />
<SAP:P2 />
<SAP:P3 />
<SAP:P4 />

<SAP:AdditionalText>com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer
certificate rejected by ChainVerifier</SAP:AdditionalText>
<SAP:Stack />
<SAP:Retry>M</SAP:Retry>
</SAP:Error>

Já verificamos os passos abaixo:

1) certificado

2) restart do JAVA

3) verificamos o firewall.

Alguém já passou por este problema e poderia ajudar com isto?

Obrigado

Juliano

rhviana
Active Contributor
‎01-09-2014 11:45 AM
0 Kudos

Juliano,

Você já subiu as CA´s da SEFAZ que você esta emitindo nova na NWA - Entrada TrustedCA´s ?

Não basta apenas subir o certificado digital no PI, precisa importer mais algumas coisas.

Verifica o meu blog, sobre a SEFAZ SP, basicamente é o mesmo procedimento para as outras.

http://scn.sap.com/community/portuguese/sped-and-nf-e/blog/2013/12/18/sefaz-sp--cifras-ssl

Para conexão HTTPS + SSL, o certificado digital serve para identificação e o que está importado na Trusted CA´s para "tunelamento".

Tive esse problema no passado, veja a thread abaixo:

http://scn.sap.com/thread/3288028

Espero ter ajudado.

Atenciosamente,

Ricardo Viana.

former_member191980
Participant
‎01-09-2014 3:48 PM
0 Kudos

Olá Ricardo,

Fiz o import na Entrada TrustedCA's, o restart do sistema e o erro continua:

Importei as seguintes:

AC Imprensa Oficial SP G3

AC Imprensa Oficial G3

AC Imprensa Oficial SP RFB G3

Autoridade Certificadora Raiz Brasileira v2

Alguma sugestão?

obrigado

Juliano

Former Member
‎01-09-2014 8:10 PM
0 Kudos

Oi Juliano

Por favor verifique as orientações abaixo descritas na nota 1524196 - Import certificates in ABAP and Java 



    

  • J2EE
    • 

      

    • Check that your complete certification authorites (CAs) certificate chain + your private certificate is correctly imported into the PI Keystore. The certificate chain has to be in the correct order. Otherwise SEFAZ will reject your request with a HTTP 403 response. The government needs to know whom they can trust, i.e. that your certificate is signed from a trusted authority. Therefore you need to have the complete certificate chain in your keystore. We attached an example (our details were removed) for your convenience to this message (see certificate_chain.pdf).
      • 

    • It shows, that additionally to your private key, you need to import the governments (SEFAZ) root certificate. Afterwards, you have to import an intermediate certificate that shows that SEFAZ trusts the Security Provider. And finally, the certificate that shows that the Security Provider trusts the issuer of your certificate. Then the certificate chain is complete and the government knows that you're certificate is OK.
      • 

    • Where the CA certificates just download please refer to the attached document "Structure of ICP-Brazil.pdf" and choose your Security Provider (e.g. CertiSign). When the CA certificates are in PKCS#7 format refer to the attached document "P7B certificate export.pdf" to export them in .cer format.
      • 

    • Please import your private certificate with the CA certificates chain one by one via the Visual Administrator for Netweaver 700 or NetWeaver Administrator (NWA) for Netweaver 710 (in the correct order). Alternatively you can import the certificates with Internet Explorer and export them as one PFX including the certificate chain. In attachment "Generate Certificate Chain.pdf" is described how the private certificate has to be imported into the Personal folder of the Windows key store. The AC certificates have to be imported the same way, but in different folders (automatically). Then you can load the exported PFX into the J2EE key storage view (e.g. NFE).
      • 

    • For the server authentication of SEFAZ import the SEFAZ.cers into Keystore View TrustedCAs and restart the instance.
      •

Abraço

Eduardo Chagas

rhviana
Active Contributor
‎01-10-2014 11:09 AM
0 Kudos

Juliano,

Edita o canal, coloca uma descrição qualquer, salva e ativa.

Att,

RafaelVieira
Active Participant
‎01-25-2014 2:46 AM
0 Kudos

Você pode usar esta ferramenta para analisar o que está acontecendo quando tenta comunicar com a Sefaz:

Mas, pela descrição do seu erro, parece que o certificado que vc importou no NWA ou no Visual Admin, está incorreto. Você tem este certificado em mãos?

Se sim, instale ele no seu computador local e depois tente acessar algum webservice da Sefaz.

Se não conseguir, já descobriu o problema.

Se funcionar, tente importar este certificado novamente no NWA/VA de forma a gerar outra Keystore Entry.

Então, atualize as informações de Keystore Entry e View no adaptador Soap Receiver, limpe o cache (restart no Java seria ideal) e faça um novo teste.

Deve funcionar.

Ask a Question