Skip to Content

The verification of the server's certificate chain failed

Hi All,

Not sure this is the right forum for this but never mind.

I am trying to get abap2GApps working and am having problems with the client certificates.

I am getting the below error in ICM :-

[Thr 06] Mon Jul 30 09:34:47 2012

[Thr 06] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 06]    session uses PSE file "/usr/sap/BWD/DVEBMGS58/sec/SAPSSLC.pse"

[Thr 06] SecudeSSL_SessionStart: SSL_connect() failed

  secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

[Thr 06] >>            Begin of Secude-SSL Errorstack            >>

[Thr 06] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed

ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : "OU=Equifax Secure Certificate Authority, O=E

ERROR in get_path: (24/0x0018) Can't get path because the chain of certificates is incomplete

[Thr 06] <<            End of Secude-SSL Errorstack

[Thr 06]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 06]   SSL NI-sock: local=172.30.7.170:59036  peer=172.30.8.100:80

[Thr 06] <<- ERROR: SapSSLSessionStart(sssl_hdl=60000000053910f0)==SSSLERR_SSL_CONNECT

[Thr 06] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {000726d5} [icxxconn_mt.c 2031]

Having already got the accounts.google.com SSL certificate chain installed and working I can't get the docs.google.com SSL chain working.

For accounts.google.com they use (this set works) :-

1) CN=accounts.google.com, O=Google Inc, L=Mountain View, SP=California, C=US

2) CN=Thawte SGC CA, O=Thawte Consulting (Pty) Ltd., C=ZA

3) OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

For docs.google.com they use a different set of SSL certs. :-

1) CN=*.google.com, O=Google Inc, L=Mountain View, SP=California, C=US

2) CN=Google Internet Authority, O=Google Inc, C=US

3) OU=Equifax Secure Certificate Authority, O=Equifax, C=US

Can anyone explain what I am doing wrong or how to correct this?

Thanks

Craig

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Jul 30, 2012 at 01:59 PM

    Dear Craig,

    This error seems to be during ssl handshake. The relevant certificate is unknown, and the chain of certificates is incomplete. This issue is described in SAP notes 1094342 and 1318906.

    Please try to follow these notes to add the missing certificate into the certificate list of the PSE these RFC uses. Kindly try to use transaction STRUST as per the notes. And after that, also try to restart the

    ICM and test again.

    Best Regards,

    Abhishek

    Add comment
    10|10000 characters needed characters exceeded

  • Jul 30, 2012 at 01:31 PM

    Further UPDATE

    After removing every certificate related to docs.google.com I still get the same error!

    I have even tried downloading the root certificate directly from GeoTrust themselves and yet I still get the same error.

    I have even resorted to running SAP program ZSSF_TEST_PSE from note 800240 to check the PSE and all is well!

    Referring to SAP Note 1318906 suggests I am missing a certificate in the chain but I am not!

    "Situation: The ICM is in the client role and the following entry is displayed in the trace:


    ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed


    Reason:You try to set up a secure connection to a server, but the validity of the certificate cannot be verified because the required certificates are not available.


    Solution:The missing certificates are listed in the trace file. You must use transaction STRUST to insert these certificates in the Personal Security Environment (PSE) that is used for the connection. The certificates are usually made available to you by the server administrator. If the certificates are public Certification Authority (CA) certificates, you can also request the certificates there."

    What could possibly causing this?

    Please help!

    Craig

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 26, 2012 at 01:08 PM

    Can no one help?

    Cheers

    Craig

    Add comment
    10|10000 characters needed characters exceeded