Thursday, September 15, 2016

SSLERR_PEER_CERT_UNTRUSTED (peer certificate is not trusted)

Home


In order to gather more technical information about this issue, the start point is to check the ICM trace. By doing that, it is possible to determine which certificate is missing, and in which PSE this certificate should be imported.


ICM Trace:

Capturing the issue in the trace

To properly collect the necessary information related to the issue in the ICM trace, follow the
procedure as described below.

While in SMICM transaction:

Raise ICM level to 2; (Goto -> Trace Level -> Set -> 2)





2, Reproduce the issue. (e.g Perform the connection test in the RFC connection)
Analyzing the trace


After increasing the trace level to 2, and reproducing the issue, the next step is to access the trace in order to analyze the data collected.

While in  SMICM  transaction:

Display the trace within the transaction; (Goto -> Trace File -> Display All (Shift+F5)). In addition, you can also display the trace file ("dev_icm") in transaction ST11. 





Searching for the issue in the trace

In the trace file you will find the following messages for this issue:
SSSLERR_PEER_CERT_UNTRUSTED

Failed to verify peer certificate. Peer not trusted.
peer certificate (chain) is not trusted

*** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED
Issues in the SSL connections starts with "***ERROR".
For more detailed information, look in to the Secude-SSL Errorstack section of the trace:
>> ---------- Begin of Secude-SSL Errorstack ---------- >>
complete description of the issue
<< ---------- End of Secude-SSL Errorstack ----------


Identifying the relevant information in the Errorstack

After performing all the steps above, you probably have found the Errorstack of the issue:

Example:

[Thr number] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr number]     session uses PSE file "/usr/sap/SID/HOST/sec/PSE_FILE_THAT_THE_CERTIFICATE_MUST_BE_IMPORTED_IN.pse" 
[Thr number] SecudeSSL_SessionStart: SSL_connect() failed --
[Thr number]   secude_error 536872221 (0x2000051d) = "SSL API error"
[Thr number] >> ---------- Begin of Secude-SSL Errorstack ---------- >>
[Thr number] 0x2000051d | SAPCRYPTOLIB | SSL_connect
[Thr number] SSL API error
[Thr number] Failed to verify peer certificate. Peer not trusted. 
[Thr number] 0xa0600203 | SSL | ssl_verify_peer_certificates
[Thr number] Peer not trusted 
[Thr number] 0xa0600297 | SSL | ssl_cert_checker_verify_certificates
[Thr number] peer certificate (chain) is not trusted 
[Thr number] Certificate:
[Thr number]   Certificate:
[Thr number]      Subject :CN= sap.com , OU=I00000000, OU=SAP AS, O=SAP CA, C=DE 
[Thr number]       Issuer :CN= sap.com , OU=I00000000, OU=SAP AS, O=SAP CA, C=DE 
[Thr number]       Serial number:0x20131208133655
[Thr number]       Validity:
[Thr number]           Not before :Sun Dec 8 08:36:55 2013
[Thr number]           Not after :Thu Dec 31 19:00:01 2037
[Thr number]       Key:
[Thr number]            Key type :rsaEncryption (1.2.840.113549.1.1.1)
[Thr number]            Key size :1024
[Thr number]         PK_Fingerprint_MD5:E2FF 2FE2 F27C 033D 3DE5 C53D 9010 5273
[Thr number]       Signature algorithm:sha1WithRsaEncryption (1.2.840.113549.1.1.5)
[Thr number]       Fingerprint_MD5:9F:55:EE:38:53:B6:19:B6:8A:4E:F1:B4:B3:9C:47:86
[Thr number]       Fingerprint_SHA1:D195 CBE3 DFCD 06D2 FE0C A517 22B6 1223 FF40 194E
[Thr number]    Verification result:
[Thr number]       Status :Not successful
[Thr number]       Profile :1.3.6.1.4.1.694.2.2.2.2
[Thr number]       DirectlyTrusted:Not successful
[Thr number] 
[Thr number] << ---------- End of Secude-SSL Errorstack ----------
[Thr number]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr number]   SSL NI-sock: unix domain socket="/tmp/.sapicm50001"
[Thr number] <<- ERROR: SapSSLSessionStart(sssl_hdl=1178ee5b0)==SSSLERR_PEER_CERT_UNTRUSTED 
[Thr number] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {00000001} [icxxconn_mt.c 1989]

Understanding the information collected and applying it to solve the issue
The part of dev_icm trace file above contains the Errorstack of a SSL call that failed due to a missing certificate that should have been imported in the correct PSE of the system.
Lines highlighted in bold are error messages.

The line highlighted in blue contains the full path to the PSE where the peer certificate should have been imported. Could be the SSL Client (Standard) PSE, SSL Client (Anonymous) PSE, SSL Server (Standard) PSE, and so on.
The line highlighted in red, contains the exact Peer's certificate that should be imported into the PSE that is highlighted in blue. However, it is recommended that you import the Root CA of the missing certificate instead of the certificate itself.

Example:
 
The PSE being shown in the trace file is session uses PSE file "/usr/sap/SID/HOST/sec/SAPSSLC.pse". This PSE file refers to the SSL Client (Standard) PSE.
The Certificate being shown in the trace file is "CN= sap.com , OU=I00000000, OU=SAP AS, O=SAP CA, C=DE".

This information is crucial to solve the issue, once these two points were figured out, the troubleshooting is over.
In this example, in order to solve the issue, the certificate " CN= sap.com , OU=I00000000, OU=SAP AS, O=SAP CA, C=DE" must be imported in the SSL Client (Standard) PSE.


No comments:

Post a Comment