cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AS2 Receiver: Peer certificate rejected by chain verifier

former_member418744
Explorer

on ‎07-17-2018 7:37 AM

0 Kudos

Hi Experts,

We are facing an exception with SSL connectivity towards AS2 Receiver channel using https URL. We received SSL certificate for the external partner system, where it was deployed in "Trusted CA's of key storage in NWA, still getting below exception while trying to post to external partner syste.

"Message could not be forwarded to the JCA adapter. Reason: Message cannot be delivered: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

MP: exception caught with cause javax.resource.ResourceException: Message cannot be delivered: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

Transmitting the message to endpoint <local> using connection SOAP_http://sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: javax.resource.ResourceException: Message cannot be delivered: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier "

We noticed that partner certificate is self signed(not signed by any signing authority), so no root & intermediate certificates are available. Does it creating this issue..?, where we are using SAP PO 7.5 single stack, Does PO accepts only signed certificates for SSL connection..?

Kindly share your views in resolving this.

Thanks,
Raj.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

sankar_27
Active Participant
‎09-04-2020 7:49 PM
0 Kudos

follow below steps to resolve the issue

1. Access web-service URL on browser , check validity and issuer

2. Export certificates and save locally

3. Import certificates into PI -->NWA-->Keystore-->KeystoreView(example: TrustedCAs)

4. Still issue persists remove old or expiry certificates from Key-store or CPACache refresh

Thanks - Sankar

Show replies
Show replies
PavanKumar
Active Contributor
‎07-19-2018 7:09 AM
0 Kudos

Hi Raj,

If the URL is publicly accessible URL, Please open the URL in browser and check the certificate of that URL and make sure you have imported that certificate in TrustedCAs NWA.

Also check the validity date of that certificate, if it is expired get new certificate from partner.

Regards

Pavan

Show replies
Show replies
former_member190536
Participant
‎07-17-2018 12:05 PM
0 Kudos

hello Raj,

please check that all certificates is imported int he "TrustedCAs" from NWA to the link you are trying to reach.

There should be one Root certificate and then constitutive certificates, so please import those and check.


Regards,

Khaja.

Show replies
Show replies
former_member418744
Explorer
‎07-17-2018 12:54 PM
0 Kudos

Hi Khaja,

I compared the hostname with certificate and the hostname is the URL, which is exactly same. If it is a self-signed certificates, not chance of multiple chain certificates, only one i.e., nothing but a hostname based.

For test, I removed and re-imported the certificates and tried again, but no luck.

Regards,
Raj

former_member190536
Participant
‎07-17-2018 1:09 PM
0 Kudos

hi Raj,

can you share that endpoint url?

Regards,

Khaja.

former_member418744
Explorer
‎07-17-2018 2:10 PM
0 Kudos

Hi Khaja,

For confidential reasons, can't share the URL.

I tried to access the URL: https://<hostname>:<port>; over web browser to download the certificate. But url not accessing due to firewall access issues.

Thanks for your help.

Regards,
Raj.

former_member190536
Participant
‎07-17-2018 3:38 PM
0 Kudos

hi Raj,

please try that Channel with XPI Inspector as per following weblog.

https://blogs.sap.com/2015/12/10/using-xpi-inspector-to-troubleshoot-http-ssl-connections/

Regards,

Karimulla

former_member418744
Explorer
‎07-18-2018 9:47 AM
0 Kudos

Hi Karimulla,

Yes I did the same, generated traces using xpi_inspector and found below exception from logs.

"ssl_debug(4):Chain Verifier: No trusted certificate found, rejected.
ssl_debug(4):Sending alert: Alert Fatal:Bad certificate
ssl_debug(4):Shutting down SSL Layer
ssl_debug(4):SSL Exception while handshaking: Peer certificate rejected by Chain Verifier"

Regards,
Raj.

AntalP
Product and Topic Expert
Product and Topic Expert
‎07-17-2018 8:46 AM
0 Kudos

Hi Raj,

The exception

iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

happens as the certificate chain cannot be verified as some of the certificates are missing from the trusted keystore.

First you need to find out the certificate chain entries, then include the public keys of the CAs into the trusted keystore.

In case the remote server SSL certificate is a self signed, you need to import the self signed certificate into the trusted keystore.

Best regards,

Antal

Show replies
Show replies
former_member418744
Explorer
‎07-17-2018 9:09 AM
0 Kudos

Hi Antal,

Checked the remote server SSL certificate, which is self-signed one, so no intermediate and root certificates chain. This self-signed certificate is already imported into Trusted CA's of NWA.

For self-signed certificates, does PO verifies chain entries..? Any suggestions..

Thanks,
Raj

AntalP
Product and Topic Expert
Product and Topic Expert
‎07-17-2018 1:39 PM
0 Kudos

Hi Raj,

I suggest capturing an SSL trace withe the XPI inspector tool, it will show the missing certificate entry.

Best regards,

Antal

Ask a Question