| Summary | Artix client is unable to establish a secure connection with a HTTPS endpoint |
|---|---|
| Article Number | 13575 |
| Environment | All Supported Operating Systems Artix C Runtime Artix JAX-RPC Runtime Artix 4.x Artix 5.x |
| Question/Problem Description | Artix client is unable to establish a secure connection with a HTTPS endpoint Error indicates BAD_CERTIFICATE while trying to establish a secure connection with a remote web service from an Artix client Typical error output: Fri, 31 Jul 2009 21:47:14.0000000 [hostname:29175] (IT_GenericSecurityToolkit:50) E - External Toolkit Error: Certificate Chain Rejected. Certificate[0] Subject:C=US, ST=state, L=city, O=Company Services, Inc., OU=test, CN=company.com Issuer:C=US, O=mytrustedauthority, Inc., OU=mytrustedauthority Trust Network, OU=Terms of use at https://www.mytrustedauthority.com/rpa (c)09, CN=mytrustedauthority Class 3 Secure Server CA - G2 Fri, 31 Jul 2009 21:47:14.0000000 [hostname:29175] (IT_GenericSecurityToolkit:50) E - External Toolkit Error: Certificate Chain Rejected. Certificate[1] Subject:C=US, O=mytrustedauthority, Inc., OU=mytrustedauthority Trust Network, OU=Terms of use at https://www.mytrustedauthority.com/rpa (c)09, CN=mytrustedauthority Class 3 Secure Server CA - G2 Issuer:C=US, O=mytrustedauthority, Inc., OU=Class 3 Public Primary Certification Authority - G2, OU=(c) 1998 mytrustedauthority, Inc. - For authorized use only, OU=mytrustedauthority Trust Network Fri, 31 Jul 2009 21:47:14.0000000 [hostname:29175] (IT_GenericSecurityToolkit:50) E - External Toolkit Error: Certificate Chain Rejected. Certificate[2] Subject:C=US, O=mytrustedauthority, Inc., OU=Class 3 Public Primary Certification Authority - G2, OU=(c) 1998 mytrustedauthority, Inc. - For authorized use only, OU=mytrustedauthority Trust Network Issuer:C=US, O=mytrustedauthority, Inc., OU=Class 3 Public Primary Certification Authority - G2, OU=(c) 1998 mytrustedauthority, Inc. - For authorized use only, OU=mytrustedauthority Trust Network Fri, 31 Jul 2009 21:47:14.0000000 [hostname:29175] (IT_GenericSecurityToolkit:50) E - External Toolkit Error: Handshake error: SENT_ALERT_FATAL_BAD_CERTIFICATE Fri, 31 Jul 2009 21:47:14.0000000 [hostname:29175] (IT_GenericSecurityToolkit:50) E - External Toolkit Error: Handshake failure. Fri, 31 Jul 2009 21:47:14.0000000 [hostname:29175] (IT_ATLI_TLS:101) E - Failure creating connection to localhost.8443. Minor code (BAD_CERTIFICATE). Reason: Handshake error: SENT_ALERT_FATAL_BAD_CERTIFICATE |
| Clarifying Information | |
| Error Message | |
| Defect/Enhancement Number | |
| Cause | This error is typically displayed when an invalid or incomplete trusted root certificate is used by a client trying to establish a connection with a secured server. In particular, if the certificate is a chained certificate, this error will be reported if the trusted root certificate configured for the client does not include all its related chained certificates. |
| Resolution | Ensure the trusted root certificate used by the client is the correct one. If it is a chained certificate, make sure the certificate file contains all certificates associated to the chain.
Also, when dealing with chained certificates, make sure the Artix client is configured to read certificates with chain lengths larger than 2. This can be done via the following configuration variable:
This variable defaults to a value of 2. If you are using a chained certificate with more than 2 chained certificates, you'll need to set this variable to the corresponding value. |
| Workaround | |
| Notes | |
| Attachment |
| Created date: | 06 September 2011 |
|---|---|
| Last Modified: | 13 February 2013 |
| Last Published: | 23 June 2012 |
| First Published date: | 09 September 2011 |
#Orbix
#KnowledgeDocs
