Symantec Access Management

Hello,

I had a server with SPS 12.52 running and handling requests for two sites fine.  I upgraded to SPS 12.52 SP01 CR01 and suddenly one of the sites is giving a Noodle_GenericException which when I enabled the custom errors and was able to see the stack says it is a "com.rsa.ssl.SSLException: Certificate for  is not trusted or bad certificate". 

The certificate on the client server is fine as far as I can tell.  The server was working fine with it before the upgrade.  I'm pretty certain I've got all the CA and Intermediate certs in the ca-bundle.cert file as the second site is working fine and it contains the same kind of certificate.

I also installed the 12.52 SP01 CR01 version completely fresh on a second instance and set everything up again to test just in case something had been changed or reverted during the upgrade process, I get the same results.

I was wondering if anybody else has experienced this issue.  Or if somebody can suggest something.  I've looked through the logs and tried to set them to give me more information, but all I really get is the fact that the cert is bad or untrusted.

I can try to provide more information in needed.

Thanks,

Chris.

Convert the End point application (Application you are fowarding/redirecting the requests to) certificates in PEM format and add it to the CA-cert bundle.

Thanks for the suggestion, but I believe they are already in PEM format.  I checked them with a text editor and they begin with:

-----BEGIN CERTIFICATE-----

Which I believe is pem format.  I also have them in the ca-bundle file.  The CA and Intermediates are also the same.  Yet, I'm still getting these errors.

Thanks.

Does the FQDN for which the Certificate was issued for matches the FQDN in Proxy Rules rules and backend server is listening on that FQDN only.

For e.g. Certificate was generated for hostname.xyz.com. However proxy rules has http://hostname OR the server is listening only on hostname (instead of FQDN).

Regards

Hubert

Hubert,

Thanks for replying to my post.  For the two sites that I'm having the issue with yes, everything matches up.  The really weird fact that I didn't mention because I didn't want to distract was that the one site that is working has a cert that is a completely different name, but has an alias DNS.  That is to say, the server has a cert with a CN of say xyz.stage.company.com.  We have a DNS alias entry called zzz.stage.company.com that is used in the proxy rules and it's working.fine.

I'm currently in the process of bring up an new server with just plain 12.52 again to see if it starts working again.  I'll post the results.

Thanks again for the input.

I am getting the same error as well. Any update on your end?

Daniel,

After some investigation and talk with another person in our organization that is using SPS here's what we discovered:

Our SPS server was set to use SSLv3 as the SSL protocol, but the target server was set to use TSLv1.1 or TSLv1.2 (I can't remember which at the moment).  We had upgraded our SPS server from plain 12.52 to 12.52 SP01 CR01 because we were informed that plain 12.52 used a version of OpenSSL that contain a vulnerability and that 12.52 SP01 CR01 would patch that vulnerability.  It does, but in doing so it also appears to break using TSLv1.1 or TSLv1.2.  When we use SSLv3 or TSLv1 as the protocol things work fine. 

I discovered all this when after we realized we were using TSLv1.1 (or TSLv1.2) and I went looking for info on configuring SPS and stumble onto this:

https://communities.ca.com/ideas/235721409

It appears as if CA knows the issue and is working at getting a fix into the next release.  I'm not certain if this is the cause of your errors, but it's worth looking into if you've already made certain your certs are good and everything else is working.

Thanks,

Chris.

Hi, i am also facing this issue after upgrade to R12.52 SP01 CR06. is the issue fixed? if yes, what is the resolution.

thanks.

Hi Rikash,

I would suggest enabling the SSL debugging on SPS as per Mark's comment in this thread:

https://communities.ca.com/thread/241732617

That would give you a better idea of the root cause of that error.

Was this working prior to CR6 upgrade or has it never worked?

Cheers,

Ujwol

Hello,

I had similar issue and it was resolved. You can try:

1. Run wget https://backendurl.com:port to see if it throws any cert error

2. If it does, add root and intermediate cert of backendurl.com to ca-bundle.cert

3. Make sure correct permissions are given

4. Access https://backendurl.com on browser and export the cert and compare it's the same one installed

5. Check US_Policy and Local_Policy jars are up to date, if not update them, this requires proxy restart.

Thank you, 

Raja Shravan

Hi Raja,

I followed the steps, that you mentioned, but still same issue is there.

1. The Backend URL is not throwing any certificate error, its working fine.

2. Added the root and intermediate certificate in ca-bundle.cert.

3. We have windows platform.

4. Both US_Policy and Local_Policy jars are updated.

Restarted Proxy.

Please note that we have F5 Load Balancer infront of application servers and we have configured F5 URL is SPS.

Any hint what is causing this issue.

Regards,

Rikash