SA17 - certificate error

0

Hi,

We are currently planning to move from SA 16.0.0.2305 to SA 17.0.6.2757. When starting a rebuilt DB on v17 server with the exact same parameters as with the v16 server, there is a certificate error:

E. 04/06 14:30:21. 'D:\cert.pem' contains an expired certificate.

-xs https(port=5086;dbn=QcDemo;identity=D:\cert.pem;identity_password=****)

The certificate is definitely not expired (valid until June 17), it's working without problem on SA16. I tried adding the ALLOW_EXPIRED_CERTS=ON protocol option, but now I received this error:

E. 04/06 14:49:25. Error parsing certificate file, error code 0x0d0680a8

Any help would be appreciated.

thank you

asked 06 Apr '17, 14:56

lebpas's gravatar image

lebpas
20191017
accept rate: 0%

The error code does not tell us too much ... I would suspect there is a bad copy or the certificate files were crossed over somehow.

The only obvious difference I can see between those two versions is that the SA16 build is shipped with OpenSSL 1.0.1t and the SA17 on is OpenSSL 1.0.2j.

There may be a chance that OpenSSL 1.0.2 may treat certificates differently than 1.0.1.

If ViewCert at both versions (on the copies at each system) does show any errors or differences then you may need to supply the certificates to product support to help identify where this is failing.

(06 Apr '17, 17:46) Nick Elson S...

Again not much to go on there. A 400 status code usually indicates a malformed request. You can get that if your service definition throws that directly, or something is amiss (like exceeding your MaxRequestVars setting if you have added that feature).

If nothing in this reply helps, you should maybe start a new thread with a few more details (like create service definitions etc.).

If you can try this without using HTTPS you may be able to trace it out easier. Either way you could try diagnosing this by adding LOGFILE and LOGOPT protocol options to your -xs listener.

(07 Apr '17, 16:46) Nick Elson S...
One Answer:
active answersoldest answersnewest answerspopular answers
0

The viewcert report the same information from both version. Also, both version are on the same server and accessing the same certificate file (exact same path).

I was able to fix one problem. My certificate had some text in the file 'Bag Attributes ...' before the 'BEGIN CERTIFICATE' line, this caused no problem in SA16, but must be removed with SA17.

I was able the start the SA17 server with the option to allow expired certificate (viewcert report my certificate expires on Jun 18, 2017 18:59:59).

But now there is a new problem, every time I access a web service, I always get a 400 Bad request error (tried with FireFox, Chrome and IE). Is there some server flag that I could enable to help trace this problem ?

permanent link

answered 07 Apr '17, 14:25

lebpas's gravatar image

lebpas
20191017
accept rate: 0%

converted 10 Apr '17, 09:38

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×24

question asked: 06 Apr '17, 14:56

question was seen: 2,346 times

last updated: 07 Apr '17, 16:46

Related questions

Does sqlanywhere version 12 support client certificate in web service?

MobiLink SSL encryption fails

How to download a file from internet using sql anywhere that requires a certificate?

Is Createcert Broken?

SA17.0.10: Error Parsing Certificate

How to download a file from internet using sql anywhere 11 that requires a certificate?

service through https

Does the SAP CommonCryptoLib make use of the operating system certificate store by default?

database connection

ultralitej https cert issue