Server certificate rejected by ChainVerifier

todd.jordan.23685 · May 11, 2004, 2:23pm

Our system is wM 6.1, their system wM 6.1.
Task: send via HTTPS.
They can send to us via HTTPS with no problem.
We receive the ‘Server certificate rejected by ChainVerifier’ when sending to them via HTTPS. We do not receive this error sending HTTP.

Our setup is that they send to our proxy server and we use reverse invokes.
Their setup is that we send directly to their wM box.

Any suggestions?
Thanks,
Todd Jordan

richard1.bailey.11941 · May 12, 2004, 4:17am

Have you tried hitting their https url via browser and opening their cert to see which CA’s are in their chain? And - perhaps if one of them is expired?? We had a similar issue recently when a customers cert was using one a particular Verisign CA in thier change that had expired (http://www.verisign.com/support/vendors/exp-gsid-ssl.html)

tbond.5941 · May 12, 2004, 12:23pm

Most common reasons for this message:

certificate expired
server certificate not signed by a trusted CA

If you have openssl available, you can use it to test the connection as well. It provides a lot more detail than browsers . . .

$ openssl s_client -connect myhost:443 -CAfile cacert.pem -state

michael.treichel.33260 · May 13, 2004, 7:23am

Verify the “watt.security” properties in /config/server.cnf. Some of them point to the folders that contain your certificates.

As a temporary workaround you may switch off the chain verification by setting

watt.security.cert.wmChainVerifier.trustByDefault=true

Good luck!