|
Hi, We are currently planning to move from SA 16.0.0.2305 to SA 17.0.6.2757. When starting a rebuilt DB on v17 server with the exact same parameters as with the v16 server, there is a certificate error: E. 04/06 14:30:21. 'D:\cert.pem' contains an expired certificate. -xs https(port=5086;dbn=QcDemo;identity=D:\cert.pem;identity_password=****) The certificate is definitely not expired (valid until June 17), it's working without problem on SA16. I tried adding the ALLOW_EXPIRED_CERTS=ON protocol option, but now I received this error: E. 04/06 14:49:25. Error parsing certificate file, error code 0x0d0680a8 Any help would be appreciated. thank you |
|
The viewcert report the same information from both version. Also, both version are on the same server and accessing the same certificate file (exact same path). I was able to fix one problem. My certificate had some text in the file 'Bag Attributes ...' before the 'BEGIN CERTIFICATE' line, this caused no problem in SA16, but must be removed with SA17. I was able the start the SA17 server with the option to allow expired certificate (viewcert report my certificate expires on Jun 18, 2017 18:59:59). But now there is a new problem, every time I access a web service, I always get a 400 Bad request error (tried with FireFox, Chrome and IE). Is there some server flag that I could enable to help trace this problem ? |
The error code does not tell us too much ... I would suspect there is a bad copy or the certificate files were crossed over somehow.
The only obvious difference I can see between those two versions is that the SA16 build is shipped with OpenSSL 1.0.1t and the SA17 on is OpenSSL 1.0.2j.
There may be a chance that OpenSSL 1.0.2 may treat certificates differently than 1.0.1.
If ViewCert at both versions (on the copies at each system) does show any errors or differences then you may need to supply the certificates to product support to help identify where this is failing.
Again not much to go on there. A 400 status code usually indicates a malformed request. You can get that if your service definition throws that directly, or something is amiss (like exceeding your MaxRequestVars setting if you have added that feature).
If nothing in this reply helps, you should maybe start a new thread with a few more details (like create service definitions etc.).
If you can try this without using HTTPS you may be able to trace it out easier. Either way you could try diagnosing this by adding LOGFILE and LOGOPT protocol options to your -xs listener.