Layer7 Access Management

Expand all | Collapse all

Certificate validation failed with message: Could not validate path.

  • 1.  Certificate validation failed with message: Could not validate path.

    Posted 09-18-2017 10:27 AM

    Hi

    I am configuring Reverse Proxy for Tableau application in CA Access Gateway R12.52. 

    I am getting below error:

     

    Can you tell what could be the issue?

    Please note that the root and intermediate of backend certificate is present in cabundle.crt

     

    SPSTrace.log

    Certificate for *** is not trusted or bad certificate

     

    Server.log":

    [18/Sep/2017:08:19:52-169] [INFO] - Certificate validation failed with message: Could not validate path.
    [18/Sep/2017:08:19:52-169] [INFO] - Cert chain (length 1) subjects:
    [18/Sep/2017:08:19:52-169] [INFO] - CN=*.***.com, O=***, L=Atlanta, ST=Georgia, C=US
    [18/Sep/2017:08:19:52-169] [INFO] - ***SEND Alert Fatal, Bad Certificate
    [18/Sep/2017:08:19:52-169] [INFO] - ***ENCRYPT: Plaintext (2): [
    0000: 02 2a [.* ]
    ]
    [18/Sep/2017:08:19:52-169] [INFO] - ***ENCRYPT: Ciphertext (2): [
    0000: 02 2a [.* ]
    ]
    [18/Sep/2017:08:19:52-242] [INFO] - Extended Random: [ Empty ]
    [18/Sep/2017:08:19:52-242] [INFO] - Record sent (83): [
    0000: 01 00 00 4f 03 01 59 bf b9 e8 3a 48 ec 68 67 f2 [...O..Y...:H.hg.]
    0010: ed bb be 2e 9e ee fc 53 9d 14 fd f4 30 23 dd cd [.......S....0#..]
    0020: 7b 08 11 df 02 46 00 00 28 00 38 00 39 00 35 00 [{....F..(.8.9.5.]
    0030: 36 00 37 00 32 00 33 00 2f 00 30 00 31 00 13 00 [6.7.2.3./.0.1...]
    0040: 16 00 0a 00 0d 00 01 00 04 00 09 00 03 00 06 00 [................]
    0050: ff 01 00 [... ]
    ]
    [18/Sep/2017:08:19:52-242] [INFO] - ***WRITE ClientHello
    [18/Sep/2017:08:19:52-242] [INFO] - ProtocolVersion: TLSv1
    [18/Sep/2017:08:19:52-242] [INFO] - Client Random: [

    Certificate validation failed with message: Could not validate path.

     

    Regards

    Rikash



  • 2.  Re: Certificate validation failed with message: Could not validate path.

    Posted 09-18-2017 12:30 PM

    This is a generic error. I did a google search for this error and results were interesting.

     

    For e.g.

    https://support.microsoft.com/en-us/help/2831004/certificate-validation-fails-when-a-certificate-has-multiple-trusted-c

     

    I would start by looking at the CA AG configuration files i.e. httpd-ssl.conf within <SPS_HOME>/secure-proxy/httpd/conf/extra

     

    Can we start by creating a new file which holds just the RootCA and IntermediateCA, then replace SSLCACertificateFile filename from cacert.bundle to the new filename. Restart CA AG, then test.



  • 3.  Re: Certificate validation failed with message: Could not validate path.

    Posted 09-19-2017 08:08 AM

    Hi Hubert,

     

    I created a separate file - add the root and intermediate cert. intermediate1->root1 intermediate2>root1

    pointed this file into SSLCACertificateFile of httpd-ssl.conf, restarted AG. but still not working

     

    Please note that we have one root and two intermediate cert.

     

    Regards

    Rikash



  • 4.  Re: Certificate validation failed with message: Could not validate path.

    Posted 09-19-2017 09:59 AM

    Perspective-1 :

     

    Primarily we are looking at the following parameters in <SPS_HOME>/secure-proxy/httpd/conf/extra/httpd-ssl.conf

     

    SSLCACertificatePath "/smuser_home/programfiles/CA-secure-proxy-server-1/secure-proxy/SSL/certs"
    SSLCACertificateFile "/smuser_home/programfiles/CA-secure-proxy-server-1/secure-proxy/SSL/certs/rootBundle.cert"

     

    #SSLCertificateChainFile "/smuser_home/programfiles/CA-secure-proxy-server-1/secure-proxy/SSL/certs/ca.crt"

     

     

    SSLCertificateChainFile is obsolete or deprecated after 2.4.8. We can check the version of Apache being shipped with CA AG by going to <SPS_HOME>/secure-proxy/httpd/bin and running "./httpd -V" (source the ca_sps_env.sh first).

     

    Thus when we add intermediate rootCA's certs to "SSLCACertificateFile" it should be added in a particular format i.e. "sorted from leaf to root". In our case the Intermediate Certificate signing the Server Certificate should be first, followed by the other intermediate root CA and lastly the Root CA.

     

    Perspective-2 :

     

    Steps to enable server logs in debug mode -


    Go to SPS_HOME\secure-proxy\Tomcat\properties\logger.properties and modify the following lines from
    log4j.rootCategory=INFO,SvrFileAppender
    to
    log4j.rootCategory=ALL,SvrFileAppender

     

    Let us now see if we get a few more lines in the server.log to see what exactly the issue could be.

     

     

    Perspective-3 :

     

    If we intend to raise a support case, then also run a strace and upload the strace output e.g. "strace -Ff -t -i -v -o strace.log -s 16384 <command>".

    strace -Ff -t -i -v -o strace.log -s 16384 ./sps-ctl startssl

     

     

    Regards

    Hubert