Skip to Content

SOAP: Peer certificate rejected by ChainVerifier

Dec 08, 2017 at 10:49 AM


avatar image

Dear All,

I am working on Proxy to SOAP synchronous interface. I received an X509 certificate from client which i imported in NWA>Trusted CA. Now after testing, i am facing issue in sending data to client's url (https). The error says,

SOAP: Error occurred: Failed to get the input stream from socket: Peer certificate rejected by ChainVerifier.

When trying to ping communication channel, it is unable to reach the endpoint url. Client has also whitelisted my system IPs.

For reference, I am using SAP PI 7.4 single stack system. Also, please find attached screenshots of SOAP receiver channel and xpi_inspector logs.





logs.png (534.2 kB)
10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Andrzej Filusz Dec 08, 2017 at 11:34 AM


Do you have the full certificate chain like: Host certificate -> Intermedite-> Root ?

Are you sure it's not expired?

Could you please put your URL into a browser and verify that the certificate you received is the same like the one on the server side?

Is a value in the CN field of your certificate the same like your host name?



10 |10000 characters needed characters left characters exceeded
Mate Moricz
Dec 08, 2017 at 11:49 AM

Hi Anil,

There could multiple reasons for this error. The most common error is that not the whole certificate chain is imported in TrustedCA keystore as Andrzej wrote or that the certificates are expired.
However it can be also caused by not matching cipher suites between you PI and the receiver endpoint (this is because the error "Peer certificate rejected by ChainVerifier" is very general, this is the error thrown in all cases when the connection fails). A good starting point is to check if your system has SAP Note 2284059 because if it's applied your system can connect to TLSv1.1 or TLSv1.2 endpoints which can be one reason of the failed connection. Another problem can be the mentioned cipher suites, if the mentioned Note is applied, you can see which cipher suites are supported by your PI and you can compare which are supported by the endpoint.

Best regards,

10 |10000 characters needed characters left characters exceeded
Raghuraman S Dec 08, 2017 at 12:31 PM

Try using XPI ,also after certificate import try restarting the channel and system.

10 |10000 characters needed characters left characters exceeded