cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Peer certificate rejected by ChainVerifier

Go to solution
Former Member

on ‎11-20-2014 6:01 PM

0 Kudos

Hi  All,

I am trying to access a webshop on portal which is using HTTPS service.

SSL is enabled. Log on is successful but when we try to navigate inside the webshop , We are getting

"Peer certificate rejected by ChainVerifier".

We have Netweaver 701 EP

Backup is ECC 6.0

SAP ABAP CRM  7.0

Oracle 11g

I don't seem to find any error log/trace regarding this . Whether this is SSO related or SSL?

I have checked the validity of SSL certificate and it is fine.

I have already checked the following post on the issue

http://scn.sap.com/thread/1000720

But the instructions of note 694290 to import the certificate chain  should not be valid for Portal 701.

Can you point me to the root cause so I can resolve this?

Thanks,

rakesh

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎11-20-2014 7:38 PM
0 Kudos

Hi Rakesh,

You will get this error generally when SSL certificate chain is incomplete.

I had this issue in past for external interface from PI.

The issue was solved after importing Root and Intermediate certificates of original SSL certificate to Visual Admin Trusted CA.

If you are using SSL certificate issued by any Trusted CA, you can get their root and intermediate certificate, from the same SSL certificate.  open certificate and navigate to certificate path and click on each parent certificate and click on view certificate.  In new window, you can go to Details and use Copy to file option to download..

Regards,

Sharath.

Show replies
Show replies
Former Member
‎11-20-2014 8:24 PM
0 Kudos

Thank you sharath for your response.

Can you please specify the steps to import the intermediate and root certificate which I already have?

Correct me if I am wrong:

1. go to visual admin with adminitrator/apssword

2.server->services> key storage-> TrustedCAs--

Can you tell me what option is correct to import my intermediate/root certs?

My guess is Load.

Thanks.,

Rakesh

Former Member
‎11-20-2014 8:34 PM
0 Kudos

Hi Rakesh,

The visual admin path you mentioned is correct.  You might have your SSL certificate like below.

Select each entry except last one and click on View Certificate.  You will get another certificate pop-up in which, you can go to Details tab and click on Copy to File.  Using wizard you can that certificate to a file.  You can select Base-64 while saving.

Use above process to save all certificates and move them to server and import to Visual Admin - Trusted CAs View.

Regards,

Sharath.

Former Member
‎11-20-2014 9:03 PM
0 Kudos

Thanks Again...

I have bene able to find the root cause of my issue.

The intermediate/Root chain is not properly imported.

See the original setup, :

And now see the faulty, cloned setup:

But the question remains, how do I import just intermediate and root certificate which I have copied from original setup .

My question is, How can I import my intermediate and root certs in key storage? which option to selecct.

Maybe a silly qs but I need your help

Thanks,

Rakesh

Former Member
‎11-20-2014 9:10 PM
0 Kudos

sorry, i did not answer straight in my previous reply.  Use Load option and select the certificate to import.  Hope this clarifies

Former Member
‎11-20-2014 9:21 PM
0 Kudos

Thank you Sharath for your time and you have been spot on!!

Former Member
‎11-20-2014 9:30 PM
0 Kudos

Thank you Rakesh

Former Member
‎11-20-2014 10:28 PM
0 Kudos

Sharath one last time I need to bug you 🙂

My quest for solution isn't finished yet:-(

I have 3 files server.crt, intermediate.crt,root.cert

Now when I go to VA-->key storage-->TrustedCA>

When I click on Load, the file selector pops up and I select server.crt and it is loaded. I again click on Load and , file selector pops up and I select Intermediate.crt and next I click on Load and selct root.crt

Now I have three entries in key storage -->TrustedCAs which doesn't seem right.

I think I have messed up somewhere?

How much I want to apply  694290 - SAP J2EE: react on expiration of VeriSign CA certificates  to my case which is SAP J2EE /7....

which seems to the solution to my problem,

But not sure how this applies to my case.,

Regards,

rakesh

Former Member
‎11-21-2014 12:02 AM
0 Kudos

Rakesh,

you mean still you are getting same error after importing all three certificates?

try restarting Key storage service (right click on Key storage in Visual Admin and click stop and then start)

if that does not solve, attach your default trace.

Regards,

Sharath.

Former Member
‎11-21-2014 11:19 AM
0 Kudos

Hi,

I restarted the key storage service but not to avail.

Find the attached default trace .

One separate qs, when do we use service_ssl and when do we use TrustedCA?

TIA

Rakesh

Former Member
‎11-21-2014 5:27 PM
0 Kudos

Hi Rakesh,

service_ssl is used to store your own system's SSL certificates.  TrustedCA will contail the certificates from various Certificate Authorities.

To better understand the issue, increase the trace level to debug for location for which you are getting the error and reproduce the issue.  Then attach the complete default trace.  Increased trace level will show which SSL certificate is missing in the chain.

Regards,

Sharath.

Former Member
‎11-22-2014 6:44 AM
0 Kudos

Hi Sharath,

Thanks for explaining terms to me.

I had increased the trace to Debug for location ca.sap.portal.iView and attaching Default Trace here:

And also got the following warning>:

Hope it leads  us to closer to the solution.

Thanks,

Rakesh

Answers (0)

Ask a Question