DX Unified Infrastructure Management

Hello Good Day!

We started seeing this error "SSL coonnection to XX.XX.XX.XX/48003 failed. Please check the server log for more information! Reason: Certificate verfiy failed" in tunnel status. We tried to reissue and recreated the tunnel but no luck. Telnet to tunnel port 48003 shows connected. Has anyone come across this issue? Kindly let us know on how to fix.

Log from hub where tunnel client is configured

Feb 19 20:41:14:077 [11204] hub: SSL handshake start from XX.XX.XX/48003: before/connect initialization
Feb 19 20:41:14:077 [11204] hub: SSL state (connect): before/connect initialization
Feb 19 20:41:14:077 [11204] hub: SSL state (connect): SSLv3 write client hello A
Feb 19 20:41:14:140 [11204] hub: SSL state (connect): SSLv3 read server hello A
Feb 19 20:41:14:140 [11204] hub: SSL error with certificate at depth 1 error: certificate has expired (10)
Feb 19 20:41:14:140 [11204] hub: issuer = /C=UN/ST=United States/L=United States/O=ACS/OU=ACS/emailAddress=XX.XX.XX.com/CN=Tunnel CA - XX.XX.XX
Feb 19 20:41:14:140 [11204] hub: subject = /C=UN/ST=United States/L=United States/O=ACS/OU=ACS/emailAddress=XX.XX.XX.com/CN=Tunnel CA - XX.XX.XX
Feb 19 20:41:14:140 [11204] hub: SSL alert (write): fatal: certificate expired
Feb 19 20:41:14:140 [11204] hub: ssl_connect - SSL_connect error (1) on new SSL connection XX.XX.XX/48003
Feb 19 20:41:14:140 [11204] hub: SSL_connect error occured
Feb 19 20:41:14:140 [11204] hub: [1] error:0x14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Feb 19 20:41:14:140 [11204] hub: TSESS could not connect to tunnel XX.XX.XX/48003 (336134278)
Feb 19 20:41:14:140 [11204] hub: CTRL connection error: certificate verify failed (134)
Feb 19 20:41:14:140 [11204] hub: CTRL could not connect to server XX.XX.XX/48003
Feb 19 20:41:14:140 [11204] hub: internal alarm - Connection error. SSL connection to (XX.XX.XX) failed. Reason: certificate verify failed, 5, XX.XX.XX
Feb 19 20:41:14:140 [11204] hub: LOCK(sessctrl_thread:remove NIMSESS)
Feb 19 20:41:14:140 [11204] hub: UNLOCK(sessctrl_thread:remove NIMSESS)
Feb 19 20:41:14:140 [11204] hub: CTRL is waiting for 0 TSESS to terminate
Feb 19 20:41:14:140 [11204] hub: LOCK(sessctrl_stop_sessions: remove sessions)
Feb 19 20:41:14:140 [11204] hub: UNLOCK(sessctrl_stop_sessions: remove sessions)
Feb 19 20:41:14:140 [11204] hub: CTRL waited 0 seconds for 0 TSESS to terminate
Feb 19 20:41:14:140 [11204] hub: CTRL N/A is terminating with exit code 1

Thanks in advance!!

Hi

Are both hubs (the tunnel client and the server) same version

also please check the time/date on both systems? Are they the same ,especially the year?

Also check

https://comm.support.ca.com/kb/single-client-tunnel-can-not-connect-to-primary-hub/kb000034951

Thank you Franklin, its the same and the tunnel status is showing connected for secondary hub without any error but not for primary.

Hi 

Check to disable ip validation on hubs

https://comm.support.ca.com/kb/how-do-i-disabled-ip-validation-for-the-hub/kb000038135

Also check if "check_cn = no" on tunnel client

Also check if any firewall in network path modifying the certificate 

https://comm.support.ca.com/kb/single-client-tunnel-can-not-connect-to-primary-hub/kb000034951

 Thanks Frank, "ignore_ip = yes" was already set and i modified unchecked Check Server common name but no luck and moreover we are not using Nat IP here.

Yu_Ishitani, Have reissued the certificate and the expire date showing as
Not expire before Tuesday Feb 19,2019 03:0049
Not after Saturday. February 17, 2029 03:00:49

Any other solution to fix the issue. You help is much appreciated!!