if you see: –
Error 101 (net::ERR_CONNECTION_RESET): The connection was reset.
in Chrome, and: –
[Wed Apr 17 05:06:32 2013] [error] [client 192.168.8.1] [7f0eb40028d0] [5144] SSL0208E: SSL Handshake Failed, Certificate validation error. [192.168.8.1:52195 -> 192.168.8.162:8443] [05:06:32.584379]
[Wed Apr 17 05:06:32 2013] [error] [client 192.168.8.1] [7f0eb400b3d0] [5144] SSL0208E: SSL Handshake Failed, Certificate validation error. [192.168.8.1:52196 -> 192.168.8.162:8443] [05:06:32.585419]
[Wed Apr 17 05:06:32 2013] [error] [client 192.168.8.1] [7f0eb800edd0] [5144] SSL0208E: SSL Handshake Failed, Certificate validation error. [192.168.8.1:52197 -> 192.168.8.162:8443] [05:06:32.586475]
[Wed Apr 17 05:06:32 2013] [error] [client 192.168.8.1] [7f0eac0115c0] [5144] SSL0208E: SSL Handshake Failed, Certificate validation error. [192.168.8.1:52198 -> 192.168.8.162:8443] [05:06:32.587517]
[Wed Apr 17 05:06:32 2013] [error] [client 192.168.8.1] [7f0eb000e7b0] [5144] SSL0208E: SSL Handshake Failed, Certificate validation error. [192.168.8.1:52199 -> 192.168.8.162:8443] [05:06:32.588528]
[Wed Apr 17 05:06:32 2013] [error] [client 192.168.8.1] [7f0eb400b3d0] [5144] SSL0208E: SSL Handshake Failed, Certificate validation error. [192.168.8.1:52196 -> 192.168.8.162:8443] [05:06:32.585419]
[Wed Apr 17 05:06:32 2013] [error] [client 192.168.8.1] [7f0eb800edd0] [5144] SSL0208E: SSL Handshake Failed, Certificate validation error. [192.168.8.1:52197 -> 192.168.8.162:8443] [05:06:32.586475]
[Wed Apr 17 05:06:32 2013] [error] [client 192.168.8.1] [7f0eac0115c0] [5144] SSL0208E: SSL Handshake Failed, Certificate validation error. [192.168.8.1:52198 -> 192.168.8.162:8443] [05:06:32.587517]
[Wed Apr 17 05:06:32 2013] [error] [client 192.168.8.1] [7f0eb000e7b0] [5144] SSL0208E: SSL Handshake Failed, Certificate validation error. [192.168.8.1:52199 -> 192.168.8.162:8443] [05:06:32.588528]
in the IHS error logs, chances are that you only have one certificate in the IHS SSL keystore or, to be more accurate, the root CA certificate is missing.
This can be validated as follows: –
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db client.kdb
Certificates found
* default, – personal, ! trusted
*- clientcert
*- clientcert
In other words, this shows that we only have the client certificate ( sometimes known as the intermediate or “device” certificate ) but not the CA certificate.
This is easily fixed: –
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -add -db client.kdb -label myca -file test.cer
( this assumes that you’ve been following the previous post and have extracted the root CA certificate from the CA keystore into the file test.cer )
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db client.kdb
Certificates found
* default, – personal, ! trusted
! myca
*- clientcert
* default, – personal, ! trusted
! myca
*- clientcert
Once IHS is restarted, all is well 🙂
Recent Comments