SSL0208E IKEYMAN VeriSign error
SSL0208E IKEYMAN VeriSign error
SSL0208E IKEYMAN VeriSign error | v.yeung
Upon installing the certificates received back from VeriSign, the following error may be shown in the error_log when trying to access the site via https:
[Tue Jun 29 10:34:37 2010] [error] [client 10.64.136.75] [e6968ff8] [10436] SSL0208E: SSL Handshake Failed, Certificate validation error. [10.64.136.75:1596 -> 10.34.77.5:443] [10:34:37.000732098]
The error: SSL0208E signifies that a particular certificate may be missing from the chain. There is no easy way to find out which certificate is missing however and more advanced logging must be enabled.
In the httpd.conf file, add a line at the end of the log file:
SSLTrace
So your httpd.conf file may look something like this:
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443
< VirtualHost *:443>
SSLEnable
< /VirtualHost>
KeyFile /IBM/HTTPServer/keydatabase.kdb
SSLDisable
SSLTrace
Stop and restart apache server using apachectl and try to access the site again via https. A new log file under the logs directory will now be written called gsktrace_log.
Most of gsktrace_log will be unreadable however searching for a few keywords will reveal more detailed information on what certificate may be missing in the chain.
In particular look for the “Cert1” term and then the log detail below that. An example of a part of a gsktrace_log is detailed here:
GSKNativeValidator - Current built chain:
Cert1
DN: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network
S#: 0x1234567890d02f0f926098233f9fffff
Cert2
DN: CN=yourdomain.com,O=YOUR ORGANISATION NAME LTD,L=Sydney,ST=New South Wales,C=AU
S#: 0x3cc123f1a15b60a733cdc01234567890
.........
GSKMemoryDataSource - Looking for :
OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
.........
GSKMemoryDataSource - Trying:
CN=yourdomain.com,O=YOUR ORGANISATION NAME LTD,L=Sydney,ST=New South Wales,C=AU
.........
< and finally...>
... Dead End! Couldn't find any (more) issuer certificates. ...
The section “Looking for :” gives a clue on the certificate that may be missing in your chain that is causing the SSL0208E error. In this particular case, the “Class 3 Public Primary Certification Authority” certificate is missing within IKEYMAN. The solution to this problem was to download and install the correct Root certificate from VeriSign and install it into IKEYMAN (Just do a search for the certificate on Google). Once the httpserver was stopped and started back up, https was up and working.
Recent Comments