Oops!
And more:
SSL0234W: SSL Handshake Failed, The certificate sent by the peer has expired or is invalid ....
Certificate validation error during handshake, last PKIX/RFC3280 certificate validation error was GSKVAL_ERROR_NO_CHAIN_BUILT blah blah blah ...
That's what I'd got while trying to setup a reverse proxy using IBM HTTP Server (IHS) to a target web server which installed GeoTrust SSL cert, had taken me a nice Friday evening :(. Basic Apache version of the HTTP server works fine. If any of you run into this problem, the following quick tips would make your day a beautiful one.
- Handshake failed, so it should be problem with setting up of your cert
- Basic Apache version works just fine, so it must be something related to mod_ibm_ssl which IHS uses with more stringent validation (Apache uses mod_ssl)
I came out with a quick trying to simply add the target machine's root CA cert to my IHS cert store (the .kdb file).
- Download the root CA cert of the cert being used by the target machine. In my case, it was GeoTrust (and I was struggling to figure out what should I use in the long list provided by GeoTrust which was confusing: http://www.geotrust.com/resources/root-certificates/ . It turns out that the Root 2 is the right one to go with: http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.pem)
- Use the ikeyman tool to open the .kdb file being used by your IHS and import (retrieve) the root CA you just downloaded.
- Restart your IHS and you're all set.
Hope this helps.
1 comment:
Exactly what I needed! Thanks a lot! For those who want to add the root CA use command like this:
gsk7capicmd -cert -add -db /tmp/mytest.kdb -pw ****** -label GoDaddyRootCertificateAuthority-G2.crt -file /tmp/GoDaddyRootCertificateAuthority-G2.crt
Post a Comment