Wednesday, 17 April 2013

More on IHS and SSL - SSL0208E: SSL Handshake Failed, Certificate validation error

Following on from my earlier post: -

Creating and working with a SSL Certificate Authority in IBM HTTP Server

if you see: -

Error 101 (net::ERR_CONNECTION_RESET): The connection was reset.

in Chrome, and: -

[Wed Apr 17 05:06:32 2013] [error] [client 192.168.8.1] [7f0eb40028d0] [5144] SSL0208E: SSL Handshake Failed, Certificate validation error. [192.168.8.1:52195 -> 192.168.8.162:8443] [05:06:32.584379]
[Wed Apr 17 05:06:32 2013] [error] [client 192.168.8.1] [7f0eb400b3d0] [5144] SSL0208E: SSL Handshake Failed, Certificate validation error. [192.168.8.1:52196 -> 192.168.8.162:8443] [05:06:32.585419]
[Wed Apr 17 05:06:32 2013] [error] [client 192.168.8.1] [7f0eb800edd0] [5144] SSL0208E: SSL Handshake Failed, Certificate validation error. [192.168.8.1:52197 -> 192.168.8.162:8443] [05:06:32.586475]
[Wed Apr 17 05:06:32 2013] [error] [client 192.168.8.1] [7f0eac0115c0] [5144] SSL0208E: SSL Handshake Failed, Certificate validation error. [192.168.8.1:52198 -> 192.168.8.162:8443] [05:06:32.587517]
[Wed Apr 17 05:06:32 2013] [error] [client 192.168.8.1] [7f0eb000e7b0] [5144] SSL0208E: SSL Handshake Failed, Certificate validation error. [192.168.8.1:52199 -> 192.168.8.162:8443] [05:06:32.588528]


in the IHS error logs, chances are that you only have one certificate in the IHS SSL keystore or, to be more accurate, the root CA certificate is missing.

This can be validated as follows: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db client.kdb 

Certificates found
* default, - personal, ! trusted
*- clientcert


In other words, this shows that we only have the client certificate ( sometimes known as the intermediate or "device" certificate ) but not the CA certificate.

This is easily fixed: -

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -add -db client.kdb -label myca -file test.cer

( this assumes that you've been following the previous post and have extracted the root CA certificate from the CA keystore into the file test.cer )

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db client.kdb 

Certificates found
* default, - personal, ! trusted
! myca
*- clientcert


Once IHS is restarted, all is well :-)


No comments: