Failing to access IDR Web resources with certificate chain not verified symptoms
Article Number
Issue
Caused by: javax.net.ssl.SSLException: Certificate not verified. at com.rsa.sslj.x.aI.b(Unknown Source) at com.rsa.sslj.x.aI.a(Unknown Source) at com.rsa.sslj.x.aI.a(Unknown Source) at com.rsa.sslj.x.aK.unwrap(Unknown Source) at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:282) at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1372) at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267) ... 33 more Caused by: com.rsa.sslj.x.aL: Certificate not verified. at com.rsa.sslj.x.bm.a(Unknown Source) at com.rsa.sslj.x.bm.a(Unknown Source) at com.rsa.sslj.x.bm.a(Unknown Source) ... 39 more Caused by: java.security.cert.CertificateException: the certificate chain is not trusted, Could not validate path. at com.rsa.sslj.x.cq.a(Unknown Source) at com.rsa.sslj.x.cq.checkServerTrusted(Unknown Source) at com.rsa.sslj.x.cq.checkServerTrusted(Unknown Source) at com.rsa.sslj.x.aF.a(Unknown Source)
Cause
IDR v2.17 uses mod_ssl which relies on Admin to upload the certificate chain in ordered manner in Admin console -> Company Settings page.
If the uploaded chain is not ordered properly from leaf issuer to desired issue or upto root certificate authority, the clients having strict validation will fail to establish SSL connection, leading to inaccessible web resource.
Resolution
1. To find if the order is wrong, please access IDR Portal or setup page or use openssl s_client connect tool. Verify the certificate chain returned is ordered properly.
2. If not so, reorder the chain in any text editor. Starts with the issuing CA certificate of the server certificate and keep appending its issuer till desired intermediate issuer or you reach upto the root CA certificate.
3. Upload it in Admin console and Publish.
4. After publishing re-verify the cert chain by following step#1.
Workaround
Related Articles
Identity not found for certificate Number of Views Test Connection to an Identity Source from a Replica Number of Views Cloud Administration Update Hardware Token Name API Number of Views HTTP 401 Unauthorized occurred while changing the password in the webservice node in the workflow in RSA Governance and Li… Number of Views Trying to login on the IDR web portal using IWA gives error : Key set does not exist Number of Views
Trending Articles
RSA Authentication Manager 8.3 Dell 630 and 230 hardware appliance loses ability to access keyboard when running PING 4.0 … RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Troubleshooting RSA MFA Agent for Microsoft Windows RSA Release Notes for RSA Authentication Manager 8.8 How to Download OTP Token Seed Files from myRSA
Don't see what you're looking for?
