Symantec Access Management

Hi

I am configuring Reverse Proxy for Tableau application in CA Access Gateway R12.52. 

I am getting below error:

Can you tell what could be the issue?

Please note that the root and intermediate of backend certificate is present in cabundle.crt

SPSTrace.log

Certificate for *** is not trusted or bad certificate

Server.log":

[18/Sep/2017:08:19:52-169] [INFO] - Certificate validation failed with message: Could not validate path.
[18/Sep/2017:08:19:52-169] [INFO] - Cert chain (length 1) subjects:
[18/Sep/2017:08:19:52-169] [INFO] - CN=*.***.com, O=***, L=Atlanta, ST=Georgia, C=US
[18/Sep/2017:08:19:52-169] [INFO] - ***SEND Alert Fatal, Bad Certificate
[18/Sep/2017:08:19:52-169] [INFO] - ***ENCRYPT: Plaintext (2): [
0000: 02 2a [.* ]
]
[18/Sep/2017:08:19:52-169] [INFO] - ***ENCRYPT: Ciphertext (2): [
0000: 02 2a [.* ]
]
[18/Sep/2017:08:19:52-242] [INFO] - Extended Random: [ Empty ]
[18/Sep/2017:08:19:52-242] [INFO] - Record sent (83): [
0000: 01 00 00 4f 03 01 59 bf b9 e8 3a 48 ec 68 67 f2 [...O..Y...:H.hg.]
0010: ed bb be 2e 9e ee fc 53 9d 14 fd f4 30 23 dd cd [.......S....0#..]
0020: 7b 08 11 df 02 46 00 00 28 00 38 00 39 00 35 00 [{....F..(.8.9.5.]
0030: 36 00 37 00 32 00 33 00 2f 00 30 00 31 00 13 00 [6.7.2.3./.0.1...]
0040: 16 00 0a 00 0d 00 01 00 04 00 09 00 03 00 06 00 [................]
0050: ff 01 00 [... ]
]
[18/Sep/2017:08:19:52-242] [INFO] - ***WRITE ClientHello
[18/Sep/2017:08:19:52-242] [INFO] - ProtocolVersion: TLSv1
[18/Sep/2017:08:19:52-242] [INFO] - Client Random: [

Certificate validation failed with message: Could not validate path.

Regards

Rikash

This is a generic error. I did a google search for this error and results were interesting.

For e.g.

https://support.microsoft.com/en-us/help/2831004/certificate-validation-fails-when-a-certificate-has-multiple-trusted-c

I would start by looking at the CA AG configuration files i.e. httpd-ssl.conf within <SPS_HOME>/secure-proxy/httpd/conf/extra

Can we start by creating a new file which holds just the RootCA and IntermediateCA, then replace SSLCACertificateFile filename from cacert.bundle to the new filename. Restart CA AG, then test.

Hi Hubert,

I created a separate file - add the root and intermediate cert. intermediate1->root1 intermediate2>root1

pointed this file into SSLCACertificateFile of httpd-ssl.conf, restarted AG. but still not working

Please note that we have one root and two intermediate cert.

Regards

Rikash

Perspective-1 :

Primarily we are looking at the following parameters in <SPS_HOME>/secure-proxy/httpd/conf/extra/httpd-ssl.conf

SSLCACertificatePath "/smuser_home/programfiles/CA-secure-proxy-server-1/secure-proxy/SSL/certs"
SSLCACertificateFile "/smuser_home/programfiles/CA-secure-proxy-server-1/secure-proxy/SSL/certs/rootBundle.cert"

#SSLCertificateChainFile "/smuser_home/programfiles/CA-secure-proxy-server-1/secure-proxy/SSL/certs/ca.crt"

SSLCertificateChainFile is obsolete or deprecated after 2.4.8. We can check the version of Apache being shipped with CA AG by going to <SPS_HOME>/secure-proxy/httpd/bin and running "./httpd -V" (source the ca_sps_env.sh first).

Thus when we add intermediate rootCA's certs to "SSLCACertificateFile" it should be added in a particular format i.e. "sorted from leaf to root". In our case the Intermediate Certificate signing the Server Certificate should be first, followed by the other intermediate root CA and lastly the Root CA.

Perspective-2 :

Steps to enable server logs in debug mode -

Go to SPS_HOME\secure-proxy\Tomcat\properties\logger.properties and modify the following lines from
log4j.rootCategory=INFO,SvrFileAppender
to
log4j.rootCategory=ALL,SvrFileAppender

Let us now see if we get a few more lines in the server.log to see what exactly the issue could be.

Perspective-3 :

If we intend to raise a support case, then also run a strace and upload the strace output e.g. "strace -Ff -t -i -v -o strace.log -s 16384 <command>".

strace -Ff -t -i -v -o strace.log -s 16384 ./sps-ctl startssl

Regards

Hubert