cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSSLERR_SERVER_CERT_MISMATCH

Former Member

on ‎11-18-2010 3:24 PM

0 Kudos

Hi,

Until yesterday, We were accesing to https sites, with successfully, e.g. :https: / / servicios1.afip.gov.ar/wsfe/service.asmx? WSDL.

This certificate within Strust, had the following characteristics:

CN = servicios1.afip.gov.ar;OU = Subdireccion General de Sistemas y Telecomunicaciones;....

The AFIP entity changes the certificate for HTTPS access sites, such as the one above.

This new certificate has the following characteristics (in subject atribute) :

CN = www.afip.gob.ar;OU = Subdireccion General de Sistemas y Telecomunicaciones.

Also, the certificate is multisite, since they added the "Subject Alternative name" attribute with the following DNS address:

DNS Name=servicios1.afip.gob.ar

DNS Name=servicios1.afip.gov.ar

ect.

When installing the new certificate, and want to access a Web Service, gives the following error, which is found with the tx SMICM, and menu goto-> trace file-> Display all:

Wed Nov 17 15:39:52 2010

MatchTargetName("servicios1.afip.gov.ar", "CN=www.afip.gob.ar, OU=Subdireccion General de Sistemas y Telecomunicacion

SSL NI-sock: local=141.167.111.237:54790 peer=200.1.116.53:443

<<- ERROR: SapSSLSessionStart(sssl_hdl=6000000005580030)==SSSLERR_SERVER_CERT_MISMATCH

*** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-30): SSSLERR_SERVER_CERT_MISMATCH [icxxconn_m

How we can do to re-access correctly?

We work with Webservice in ABAP stack.

Thanks in advance.

Sebastiá

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (5)

Answers (5)

Former Member
‎11-23-2010 2:36 PM

The AFIP changed returned the old certificate and therefore the error of SAP Connect. This error is resolved.

My question for the future is:

Can I install a multidomain certificate with tx STRUST (in R/3), without "the mismatch" error? Or do I have to use the JAVA stack (SAP Netweaver)? Where I can get information on the second instance?

Thanks in advance

Regards

Sebastián

Edited by: sebara on Nov 23, 2010 3:36 PM

Show replies
Show replies
Former Member
‎11-19-2010 4:35 PM
0 Kudos

Hi,

The notes didn't help us. But, we did have include the parameter: wdisp/ssl_ignore_host_mismatch = true

Now, we have the following error. Already, we applicate the notes 510007 and 1094342.

*** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

SecudeSSL_SessionStart: SSL_connect() failed

secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

>> Begin of Secude-SSL Errorstack >>

ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed

ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : "EMAIL=premium-server(arrow)thawte.com, CN=Thawte P

ERROR in get_path: (24/0x0018) Can't get path because the chain of certificates is incomplete

<< End of Secude-SSL Errorstack

SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

SSL NI-sock: local=141.167.111.235:65095 peer=200.1.116.53:443

<<- ERROR: SapSSLSessionStart(sssl_hdl=6000000005533f30)==SSSLERR_SSL_CONNECT

*** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT

The certificate was change. Now it's Geotrust and itsn't Thawte. Already removes old certificate thawte, but the error reference it.

We reinitialize the ICM and System.

What can I do?

Thanks for all in advance.

Sebastiá

Show replies
Show replies
Former Member
‎11-23-2010 1:37 PM
0 Kudos

Hi,

>I may be wrong ...

In fact, I was wrong, alternate names in certificates work perfectly with the abap ICM. I have just tested it successfully.

Now, your problem is "the chain of certificates is incomplete".

If your certificate is signed by an inermediate CA and a Root CA, did you include both ?

In that case, From STRUST, I import the signed certificate using the base64 p7b format which includes automatically the complete signature chain.

Regards,

Olivier

Former Member
‎11-18-2010 9:25 PM
0 Kudos

Hi Sebara,

Check this note for your error: [Note 1318906 - Trace analysis of SSL problems|https://service.sap.com/sap/support/notes/1318906]

Excerpt from the note:

Situation: The ICM is in the client role and the following entry is displayed in the trace:
      • ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-30): SSSLERR_SERVER_CERT_MISMATCH
Reason:You try to set up a secure connection for a server in the form "https://<server name>:<port>". However, the certificate that is returned by the server is issued for a different server name and is therefore rejected. In particular, this happens if you use the IP address of the server instead of the server name in the URL.
Solution:You must be able to access the server under the address for which the certificate was issued. For example, if the server certificate was issued to the name "CN=www.sap.com, C=DE", then you must be able to access the server using the URL "https://www.sap.com".

Regards,

Shival

Show replies
Show replies
Former Member
‎11-18-2010 4:41 PM
0 Kudos

Hi,

I may be wrong but I think that what you want to do may prove to be impossible.

I don't think that the ICM is able to check the alternative names in the certificates. To be sure, you should open an OSS message and ask SAP.

Regards,

Olivier

Show replies
Show replies
Former Member
‎11-18-2010 3:45 PM
0 Kudos

can you please check Note 698017 - ICM Patch Collection (6.40)

Show replies
Show replies
Ask a Question