Resolving the error "Server certificate rejected by ChainVerifier".
Article ID: KB0089527
Updated On:
| Products | Versions |
|---|---|
| TIBCO BusinessConnect | - |
| Not Applicable | - |
Description
Resolution:
Description:
============
The "Server certificate rejected by ChainVerifier" error is seen when sending an outbound message (over SSL) to a trading partner (TP).
Environment:
============
BusinessConnect all versions
Symptoms:
=========
When you send an outbound message from BusinessConnect (BC) to a TP using the HTTPS transport, you may see the following error:
****
Error sending request to Trading Partner: Message: Error connecting to host www.businessconnect.com at port 443 .
or
error sending HTTP/S message to https://businessconnect.com:443 received HTTP response "xxx". Error connecting to host businessconnect.com at port 443 . Server certificate rejected by ChainVerifier
****
Cause:
======
This issue can happen with:
1). a correct certificate, but bad trading partner configuration.
2). a bad certificate, but a good trading partner configuration.
Resolution:
===========
For the first cause uou can correct the BC configuration by configuring the correct certificate in:
A). Admin - BC - Participants - Participant Name - credentials. Verify the certificate and import the correct certificate if necessary.
B). Admin - BC - Participants - Participant Name - Protocol Name - Transports - https/ftps/as2-https and verify/correct the certificate that you have configured in previous step (step-1) against "Server Certificate".
C). Verify that the configured transport (step-1) is using the correct certificate in
Admin - BC - BusinessAgreements - HostName-TPName - Protocol Name - Transports
D). Also verify and correct the transport, if you are overriding any transports in BusinessAgreements under
Admin - BC - BusinessAgreements - HostName-TPName - Protocol Name - Operation Bindings - Operation Name - Transports - Override Transports - Primary Transport
2). For the second cause open the TP public certificate and see how many certificates are referenced and how many are present in the cert chain or certification path.
Our experience has shown that some trading partners may provide a different number of certificates as a reference, but their SSL connection may provide fewer certificates in the certificate chain that is presented as part of the SSL handshake. You can use third party toolkits such as OpenSSL to verify the certificate chain presented by the trading partner. If fewer certificates are provided, BusinessConnect will try to look through its certificate store to find any CA certificates that are not part of the handshake. If these certificates are not found you will get the ChainVerifier error.
After trying the above two methods, if you are seeing the same error then the problem could be some where else. Please contact TIBCO Support if this occurs.
Description:
============
The "Server certificate rejected by ChainVerifier" error is seen when sending an outbound message (over SSL) to a trading partner (TP).
Environment:
============
BusinessConnect all versions
Symptoms:
=========
When you send an outbound message from BusinessConnect (BC) to a TP using the HTTPS transport, you may see the following error:
****
Error sending request to Trading Partner: Message: Error connecting to host www.businessconnect.com at port 443 .
or
error sending HTTP/S message to https://businessconnect.com:443 received HTTP response "xxx". Error connecting to host businessconnect.com at port 443 . Server certificate rejected by ChainVerifier
****
Cause:
======
This issue can happen with:
1). a correct certificate, but bad trading partner configuration.
2). a bad certificate, but a good trading partner configuration.
Resolution:
===========
For the first cause uou can correct the BC configuration by configuring the correct certificate in:
A). Admin - BC - Participants - Participant Name - credentials. Verify the certificate and import the correct certificate if necessary.
B). Admin - BC - Participants - Participant Name - Protocol Name - Transports - https/ftps/as2-https and verify/correct the certificate that you have configured in previous step (step-1) against "Server Certificate".
C). Verify that the configured transport (step-1) is using the correct certificate in
Admin - BC - BusinessAgreements - HostName-TPName - Protocol Name - Transports
D). Also verify and correct the transport, if you are overriding any transports in BusinessAgreements under
Admin - BC - BusinessAgreements - HostName-TPName - Protocol Name - Operation Bindings - Operation Name - Transports - Override Transports - Primary Transport
2). For the second cause open the TP public certificate and see how many certificates are referenced and how many are present in the cert chain or certification path.
Our experience has shown that some trading partners may provide a different number of certificates as a reference, but their SSL connection may provide fewer certificates in the certificate chain that is presented as part of the SSL handshake. You can use third party toolkits such as OpenSSL to verify the certificate chain presented by the trading partner. If fewer certificates are provided, BusinessConnect will try to look through its certificate store to find any CA certificates that are not part of the handshake. If these certificates are not found you will get the ChainVerifier error.
After trying the above two methods, if you are seeing the same error then the problem could be some where else. Please contact TIBCO Support if this occurs.
Issue/Introduction
Resolving the error "Server certificate rejected by ChainVerifier".
Feedback
Yes
No
Powered by
