Skip to Content
avatar image
Former Member

SAP Gateway Client SSL Error - SSLERR_PEER_CERT_UNTRUSTED

Hello,

we use an SAP Gateway 7.42 System as Hub Deployment and a self signed SSL Certificate from our own CA. When i try to call a oData Service via GW_CLIENT i got the following error.

I'am not sure if this is a problem by using the self signed Certificate or something wrong with the Server Parameters?

HTTP Receive failed: SSL handshake with FQDN.GATEWAY.DE:44300 failed: SSSLERR_PEER_CERT_UNTRUSTED (-102)The peer's X.509 Certificate (chain) is untrustedSapSSLSessionStart()==SSSLERR_PEER_CERT_UNTRUSTED SSL:SSL_connnect() failed (536872221/0x2000051d) => "SSL API error">> ---- SecuSSL ErrStack: ----0x2000051d | SAPCRYPTOLIB | SSL_connectSSL API errorFailed to verify peer certificate. Peer not trusted.0xa0600203 | SSL | ssl_verify_peer_certificatesPeer not trusted0xa0600297 | SSL | ssl_cert_checker_verify_certificatespeer certificate (chain) is not trustedCertificate: Certificate: Subject :CN=FQDN.GATEWAY.DE, OU=Company, OU=Company, C=DE Issuer :CN=FQDN.GATEWAY.DE, OU=Company, OU=Company, C=DE Serial number:0x0a20160808124101 Validity: Not before :Mon Aug 8 13:41:01 2016 Not after :Fri Jan 1 01:00:01 2038 Key: Key type :rsaEncryption (1.2.840.113549.1.1.1) Key size :4096 PK_Fingerprint_MD5:7F22 4F06 8DDC 73AF 06F8 2357 FCC6 8629 Signature algorithm:sha256WithRsaEncryption (1.2.840.113549.1.1.11) Fingerprint_MD5:92:FA:92:0F:08:B6:D5:A5:91:33:28:F6:B8:7D:DA:1E Fingerprint_SHA1:31E1 B4E2 28AF 4A68 A71F FFC4 B626 F158 D5E4 295C Verification result: Status :Not successful Profile :1.3.6.1.4.1.694.2.2.2.2 DirectlyTrusted:Not successful<< --------------------------- SSL:SSL_get_state()==0x2131 "SSLv3 read server certificate B" SSL NI-hdl 84: unix domain socket="/tmp/.sapicm44300" cli SSL session PSE "/usr/sap/UG3/DVEBMGS00/sec/SAPSSLA.pse" Target Hostname="FQDN.GATEWAY.DE"


Thanks!

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Apr 03, 2017 at 03:24 PM

    To me it looks like the client isn't trusting the server root certificate. Even if the server certificate is signed using your corporate root certificate, maybe that root certificate isn't trusted by the client? Adding your corporate root certificate (and any intermediate ones if they exist) in your client certificate store should fix the issue.

    Add comment
    10|10000 characters needed characters exceeded

  • Dec 21, 2017 at 03:56 AM

    Hi ,

    Is this issue resolved? Im facing the same kinda of issue but we have already configured SSL.

    Below is the error log,

    HTTP Receive failed: SSL handshake with vhassSIDci.hec.aisingroup.com:20400 failed: SSSLERR_PEER_CERT_UNTRUSTED (-102)The peer's X.509 Certificate (chain) is untrustedSapSSLSessionStartNB()==SSSLERR_PEER_CERT_UNTRUSTED SSL:SSL_read() failed (536872221/0x2000051d) => "Failed to verify peer certificate. Peer not trusted." SSL:SSL_get_state()==0x2131 "TLS read server certificate B" SSL NI-hdl 133: unix domain socket="/tmp/.sapicm20400" cli SSL session PSE "/usr/sap/SID/D00/sec/SAPSSLA.pse" Target Hostname="vhassSIDci.hec.aisingroup.com">> ---- SecuSSL ErrStack: ----0x2000051d | SAPCRYPTOLIB | SSL_readSSL API errorFailed to verify peer certificate. Peer not trusted.0xa0600203 | SSL | ssl3_read_bytesPeer not trusted0xa0600203 | SSL | ssl3_connectPeer not trusted0xa0600203 | SSL | ssl3_get_server_certificatePeer not trusted0xa0600203 | SSL | ssl3_decode_server_certificatePeer not trusted0xa0600203 | SSL | ssl_verify_peer_certificatesPeer not trusted0xa0600203 | SSL | ssl_cert_checker_verify_certificatesPeer not trusted0xa0600203 | SSL | ssl_cert_checker_verify_certificatesPeer not trustedCertificate Certificate Subject :CN=*.tyo.hec.sap.biz, OU=HEC, O=SAP, C=DE Issuer :CN=SAPNetCA_G2, O=SAP, L=Walldorf, C=DE Serial number :0x01527c Verification result Status :Not successful SignerStatus :Not successful SignerVerificationResult Element #1 Status :Not successful Validity :Successful BasicConstraints :Successful KeyUsage :Successful ObjectStatus :Not successful SignerCert Certificate Subject :CN=SAPNetCA_G2, O=SAP, L=Walldorf, C=DE Issuer :CN=SAP Global Root CA, O=SAP AG, L=Walldorf, C=DE Serial number :0x610e063700000000000c Verification result Status :Not successful SignerStatus :Not successful SignerVerificationResult :None<< ---------------------------

    Thanks,

    Uday

    Add comment
    10|10000 characters needed characters exceeded