Skip to Content
avatar image
Former Member

Peer certificate Rejected city ChainVerifier

Hello SAP experts

We must activate a FTPs adapter to a vendor. Vendor has sent us a self-signed

certificate

We have loaded the certificate in TrustedCAs

We have entered into the adapter:

Server: CN - found in the certificate

Port: 9990

Connection Security: FTPS (FTP Using SSL / TLS Control and Data Connection

Command Order: AUTH TLS, USER, PASS, PBSZ, PROT

No. X.509 selected

User and password from the vendor

Connect mode: Per File Transfer

Transfer Mode: Binary

From the supplier, we have received:

URLs: ftp:// <IP>: 9990 (AUTH SSL)

ftps:// <IP>: 9989 (Implied)

Port Range: 20995 to 21014

USER / PASSWORD

We can telnet from our side to the mentioned ports

We have not received a root and immediate Certificate

Vendor stated that they have other customer that uses this setup. However we donu2019t know if this is PI customers.

We have tested the SSL on our side with HTTPs.

We get the following error: Peer certificate Rejected city ChainVerifier

Has anyone had the same problem?

Best Regards

Erik

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • avatar image
    Former Member
    May 27, 2011 at 08:45 AM

    Have you restart R3 Instance, after certificate importing?

    Add comment
    10|10000 characters needed characters exceeded

  • May 27, 2011 at 05:31 PM

    Hello

    Use the tracing tool attached to note #1514898 Diagtool for troubleshooting XI. This should give you a very good idea as to the exact cause of the problem.

    Regards

    Mark

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Error from diagtool:

      Error during disconnect from ftp server as2.progrator.com, ignored: com.sap.aii.adapter.file.ftp.FTPEx: 550 Unexpected reply codeiaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: bad certificate

      10:40:42:154 J2EE_GUEST ~l_sender/FTPS_TEST/VANS]_54305 ~rverTrusted(X509Certificate[]) Failed to verify server certificate chain: no trust anchor found

  • May 30, 2011 at 03:32 PM

    As far as I know and experienced ... self-signed certificates without a root certificate are not supported by PI .

    We always ask our external integration partners to use certificates from a proper CA.

    Regards,

    Steven

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Erik,

      I`ve spent some days struggling with the same issue. For testing purpouses we installed a Filezilla server with FTPS mode and it worked with a certificate generated by filezilla itself (self-signed). We did the same for the external FTPS server and failed because of certificate error. Finally we discover that if we were to use only FTPS for control connection it was working fine, it seems that the second time it tries to do the handshake for encrypting the file it fails. We supose that it happens because this second handshake is done using IP address instead of server name.

      To sumarize:

      In Local network ->

      Installed filezilla server in a computer with server name, enable SSL, allow explicit mode, force PROT P. Generate certificate with server name instead of IP address using filezilla. Remove from generated certificate the private key. Import certificate in Visual administrator as TrustedCAs (7.0).

      CC - server name, port 21, passive, FTPS control and data connection. Auth TLS, user, pass, pbsz, prot. OK

      With external server->

      Import certificate in VA. CC - server name, passive, FTPS control and data connection. Auth TLS, user, pass, pbsz, prot.

      NOT OK, second handshake error

      Don't force PROT P in FTPS server. CC - server name, port 21, passive, FTPS control connection. Auth TLS, user, pass, pbsz, prot. OK

      To allow control and data connection encryption maybe is needed to set external name for FTPS server in server settings.

      Hope this helps.

      Iván.