Skip to Content

AS2 Receiver: Peer certificate rejected by chain verifier

Hi Experts,

We are facing an exception with SSL connectivity towards AS2 Receiver channel using https URL. We received SSL certificate for the external partner system, where it was deployed in "Trusted CA's of key storage in NWA, still getting below exception while trying to post to external partner syste.

"Message could not be forwarded to the JCA adapter. Reason: Message cannot be delivered: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

MP: exception caught with cause javax.resource.ResourceException: Message cannot be delivered: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

Transmitting the message to endpoint using connection SOAP_http:// sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: javax.resource.ResourceException: Message cannot be delivered: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier "

We noticed that partner certificate is self signed(not signed by any signing authority), so no root & intermediate certificates are available. Does it creating this issue..?, where we are using SAP PO 7.5 single stack, Does PO accepts only signed certificates for SSL connection..?

Kindly share your views in resolving this.

Thanks,
Raj.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Jul 19 at 06:09 AM

    Hi Raj,

    If the URL is publicly accessible URL, Please open the URL in browser and check the certificate of that URL and make sure you have imported that certificate in TrustedCAs NWA.

    Also check the validity date of that certificate, if it is expired get new certificate from partner.

    Regards

    Pavan

    Add comment
    10|10000 characters needed characters exceeded

  • Jul 17 at 11:05 AM

    hello Raj,

    please check that all certificates is imported int he "TrustedCAs" from NWA to the link you are trying to reach.

    There should be one Root certificate and then constitutive certificates, so please import those and check.


    Regards,

    Khaja.

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Karimulla,

      Yes I did the same, generated traces using xpi_inspector and found below exception from logs.

      "ssl_debug(4):Chain Verifier: No trusted certificate found, rejected.
      ssl_debug(4):Sending alert: Alert Fatal:Bad certificate
      ssl_debug(4):Shutting down SSL Layer
      ssl_debug(4):SSL Exception while handshaking: Peer certificate rejected by Chain Verifier"

      Regards,
      Raj.

  • Jul 17 at 07:46 AM

    Hi Raj,

    The exception

    iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

    happens as the certificate chain cannot be verified as some of the certificates are missing from the trusted keystore.

    First you need to find out the certificate chain entries, then include the public keys of the CAs into the trusted keystore.

    In case the remote server SSL certificate is a self signed, you need to import the self signed certificate into the trusted keystore.

    Best regards,

    Antal

    Add comment
    10|10000 characters needed characters exceeded