SAP Knowledge Base Article - Preview

3058113 - Wrong server certificate causes "Peer certificate rejected by chain verifier" error

Symptom

  • You have a scenario where PI/PO sends data to a server, however, this communication is failing in "Peer certificate rejected by chain verifier" error.
  • When checking the handshake in the XPI Inspector trace (example 11 or 50) you see the the following:

ssl_debug(515659): Starting handshake (iSaSiLk 5.104)...
ssl_debug(515659): Sending v3 client_hello message to xxxxxx:xxx, requesting version 3.3...
ssl_debug(515659): Sending extensions: renegotiation_info (65281), signature_algorithms (13)
ssl_debug(515659): Received v3 server_hello handshake message.
ssl_debug(515659): Server selected SSL version 3.3.
ssl_debug(515659): Server created new session
ssl_debug(515659): CipherSuite selected by server: TLS_RSA_WITH_AES_128_GCM_SHA256
ssl_debug(515659): CompressionMethod selected by server: NULL
ssl_debug(515659): TLS extensions sent by the server: renegotiation_info (65281)
ssl_debug(515659): Server supports secure renegotiation.
ssl_debug(515659): Received certificate handshake message with server certificate.
ssl_debug(515659): Server sent a 1024 bit RSA certificate, chain has 1 elements.
Trusted certs in the verifier - xx, in the session - xx
Subject DN duplicates detected.
Is the chain ordered? true
ORIGINAL CHAIN
chain index #0
Subject: OU=DummyCertificate,O=DummyCertificate ,EMAIL=DummyCertificate@DummyCertificate.com,C=US,ST=SC,CN=www.DummyCertificate.com
Issuer: EMAIL=DummyCertificate@DummyCertificate.com ,CN=www.DummyCertificate.com,OU=Test CA,O=Dummy Ltd,L=Dummy City,ST=SC,C=US
...

...
ssl_debug(515659): ChainVerifier: No trusted certificate found, rejected.

  • You realize that an incorrect server certificate is being sent.
  • SNI extension is not enabled in your PI/PO system.


Read more...

Environment

  • PI Release Independent
  • SAP NetWeaver
  • SAP Process Integration
  • SAP Process Orchestration

Product

SAP NetWeaver 7.3 ; SAP NetWeaver 7.4 ; SAP NetWeaver 7.5

Keywords

ssl pi xi adapter soap, TLS handshake failure, SNI extension, Exception sending message: java.net.SocketException: Broken pipe (Write failed), This site works only in browsers with SNI support, certs, certificate, nota fiscal eletronica, peer certificate reject by chain verifier, connection reset, certificate authority, CA, trustedca, trustedcas, certificates, bad certificate, Process Integration 7.0, PI 7.0, PI 7.01, PI 7.02, Process Integration 7.10, PI 7.10, Process Integration 7.11, PI 7.11, Process Integration 7.30, PI 7.30, Process Integration 7.31, PI 7.31, Process Orchestration 7.40, PI 7.40, PO 7.40, Process Orchestration 7.50, PI 7.50, PO 7.50, NetWeaver, XI, keystore , KBA , BC-XI-CON-AFW-SEC , Security , How To

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.