November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  

Categories

November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  

More on IHS and SSL – SSL0208E: SSL Handshake Failed, Certificate validation error


if you see: –
Error 101 (net::ERR_CONNECTION_RESET): The connection was reset.
in Chrome, and: –
[Wed Apr 17 05:06:32 2013] [error] [client 192.168.8.1] [7f0eb40028d0] [5144] SSL0208E: SSL Handshake Failed, Certificate validation error. [192.168.8.1:52195 -> 192.168.8.162:8443] [05:06:32.584379]
[Wed Apr 17 05:06:32 2013] [error] [client 192.168.8.1] [7f0eb400b3d0] [5144] SSL0208E: SSL Handshake Failed, Certificate validation error. [192.168.8.1:52196 -> 192.168.8.162:8443] [05:06:32.585419]
[Wed Apr 17 05:06:32 2013] [error] [client 192.168.8.1] [7f0eb800edd0] [5144] SSL0208E: SSL Handshake Failed, Certificate validation error. [192.168.8.1:52197 -> 192.168.8.162:8443] [05:06:32.586475]
[Wed Apr 17 05:06:32 2013] [error] [client 192.168.8.1] [7f0eac0115c0] [5144] SSL0208E: SSL Handshake Failed, Certificate validation error. [192.168.8.1:52198 -> 192.168.8.162:8443] [05:06:32.587517]
[Wed Apr 17 05:06:32 2013] [error] [client 192.168.8.1] [7f0eb000e7b0] [5144] SSL0208E: SSL Handshake Failed, Certificate validation error. [192.168.8.1:52199 -> 192.168.8.162:8443] [05:06:32.588528]

in the IHS error logs, chances are that you only have one certificate in the IHS SSL keystore or, to be more accurate, the root CA certificate is missing.
This can be validated as follows: –
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db client.kdb 

Certificates found
* default, – personal, ! trusted
*- clientcert

In other words, this shows that we only have the client certificate ( sometimes known as the intermediate or “device” certificate ) but not the CA certificate.
This is easily fixed: –
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -add -db client.kdb -label myca -file test.cer
( this assumes that you’ve been following the previous post and have extracted the root CA certificate from the CA keystore into the file test.cer )
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db client.kdb 

Certificates found
* default, – personal, ! trusted
! myca
*- clientcert

Once IHS is restarted, all is well 🙂

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>