ERA Proxy Certificate Problem

[ernestodelisi 0]

Good afternoon,

We have a problem with one of our ERA Proxy, we have an ERA Server on another server.

Scope	Time	Text
Last replication	2017-Apr-05 14:11:03	Error: CReplicationManager: Replication (network) connection to 'host: "10.100.8.65" port: 2222' failed with: Receive: NodSslWriteEncryptedData: Incorrect/unknown certificate or key format.

Replication security

2017-Apr-05 14:11:03

Error: NodVerifyCertificateChain failed: NodVerifyTrustResult: 6, NVT_NotTrustedRoot, X509ChainStatus: 0x10000, X509CSF_PartialChain Remote host: 10.100.8.65 Remote machine certificate is not trusted because signing certificates (CAs) are not trusted or found in system/proxy database Check if signing certificate authority was used during installation of proxy or installed in system

I leave a screenshot of the error and the trace.log attached.

Era Server 10.100.8.65
Era Server 10.100.8.67

Regards!

 

 

 

 

trace.log

[MartinK 378]

Technically this error means that PROXY does not trust SERVER's certificate because it is missing CA certificate that was used to sign SERVER certificate. In standard scenario, this CA certificate is part of PROXY installation (provided as parameter) and it is also distributed by SERVER itself.

You mentioned that only one proxy has problems - is there any difference in configuration? Or this PROXY never worked since it was installed? Have you made any changes in ERA certificates since installation, i.e. have you changed SERVER certificate in configuration, or have you remove or revoked any CA certificate?

[ernestodelisi 0]

It is a new facility, with a new trust certificate. The CA used is the one that was created during the installation.

 

Regards!

[MartinK 378]

2 minutes ago, ernestodelisi said:

It is a new facility, with a new trust certificate. The CA used is the one that was created during the installation.

When installing PROXY, you have to provide CA certificate, that was used to sign currently used SERVER certificate (not CA certificate that was used to sign/create PROXY certificate). From screenshot it is not clear, but my guess is that SERVER certificate was signed by authority named "CA ERA Server", or maybe SERVER is still using certificate created during installation which was most probably signed by "ERA Certification authority"?

Could you please check SERVER configuration (WebConsole -> Admin -> Server Settings) for exact identification of currently used certificate (beware that changes of this setting requires restart to take effect) and matching CA certificate (issuer) has to be used to install PROXY. There does not seems to be SERVER certificate in certificate list you provided, which is non standard and also it prevents us to verify what CA certificate it could be possibly using.

[ernestodelisi 0]

On 5/4/2017 at 2:42 PM, MartinK said:

When installing PROXY, you have to provide CA certificate, that was used to sign currently used SERVER certificate (not CA certificate that was used to sign/create PROXY certificate). From screenshot it is not clear, but my guess is that SERVER certificate was signed by authority named "CA ERA Server", or maybe SERVER is still using certificate created during installation which was most probably signed by "ERA Certification authority"?

Could you please check SERVER configuration (WebConsole -> Admin -> Server Settings) for exact identification of currently used certificate (beware that changes of this setting requires restart to take effect) and matching CA certificate (issuer) has to be used to install PROXY. There does not seems to be SERVER certificate in certificate list you provided, which is non standard and also it prevents us to verify what CA certificate it could be possibly using.

Thanks you, the problem is solved!