Skip to Content
avatar image
Former Member

SOAP: Peer certificate rejected by ChainVerifier

Dear All,

I am working on Proxy to SOAP synchronous interface. I received an X509 certificate from client which i imported in NWA>Trusted CA. Now after testing, i am facing issue in sending data to client's url (https). The error says,

SOAP: Error occurred: com.sap.engine.interfaces.messaging.api.exception.MessagingException: java.io.IOException: Failed to get the input stream from socket: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier.

When trying to ping communication channel, it is unable to reach the endpoint url. Client has also whitelisted my system IPs.

For reference, I am using SAP PI 7.4 single stack system. Also, please find attached screenshots of SOAP receiver channel and xpi_inspector logs.

soap-receiver-channel.png

logs.png

Regards,

Ashok

logs.png (534.2 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Dec 08, 2017 at 11:34 AM

    Hello,

    Do you have the full certificate chain like: Host certificate -> Intermedite-> Root ?

    Are you sure it's not expired?

    Could you please put your URL into a browser and verify that the certificate you received is the same like the one on the server side?

    Is a value in the CN field of your certificate the same like your host name?

    Regards,

    Andrzej

    Add comment
    10|10000 characters needed characters exceeded

  • Dec 08, 2017 at 11:49 AM

    Hi Anil,

    There could multiple reasons for this error. The most common error is that not the whole certificate chain is imported in TrustedCA keystore as Andrzej wrote or that the certificates are expired.
    However it can be also caused by not matching cipher suites between you PI and the receiver endpoint (this is because the error "Peer certificate rejected by ChainVerifier" is very general, this is the error thrown in all cases when the connection fails). A good starting point is to check if your system has SAP Note 2284059 because if it's applied your system can connect to TLSv1.1 or TLSv1.2 endpoints which can be one reason of the failed connection. Another problem can be the mentioned cipher suites, if the mentioned Note is applied, you can see which cipher suites are supported by your PI and you can compare which are supported by the endpoint.

    Best regards,
    Mate

    Add comment
    10|10000 characters needed characters exceeded

  • Dec 08, 2017 at 12:31 PM

    Try using XPI ,also after certificate import try restarting the channel and system.

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 12 at 11:33 AM

    Hello,

    Have you figured out the problem?

    I'm facing the same issue

    thanks

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Marcelo,

      Please check my above reply as this is a general error, there is no exact solution.


      "There could multiple reasons for this error. The most common error is that not the whole certificate chain is imported in TrustedCA keystore as Andrzej wrote or that the certificates are expired.
      However it can be also caused by not matching cipher suites between you PI and the receiver endpoint (this is because the error "Peer certificate rejected by ChainVerifier" is very general, this is the error thrown in all cases when the connection fails). A good starting point is to check if your system has SAP Note 2284059 because if it's applied your system can connect to TLSv1.1 or TLSv1.2 endpoints which can be one reason of the failed connection. Another problem can be the mentioned cipher suites, if the mentioned Note is applied, you can see which cipher suites are supported by your PI and you can compare which are supported by the endpoint."

      Best regards,
      Mate