1

We have IBM Domino / Notes server that needs to connect to another server in our organization via HTTPS. Few days ago we've changed certificate on that server and loaded new certificate to ibm server (into cacerts and into internet certificate list in ibm administrator). Since that, we have the following errors:

  1. Exception on HttpConnector.sendPostRequest with stack:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: 5950
    at com.ibm.jsse2.o.a(o.java:8)
    ...
    at http.HttpConnector.send(Unknown Source)
    at http.HttpConnector.sendPostRequest(Unknown Source)   
Caused by: java.security.cert.CertificateException: 5950
    at com.ibm.domino.napi.ssl.DominoX509TrustManager.checkServerTrusted(DominoX509TrustManager.java:98)
    at com.ibm.jsse2.lb.a(lb.java:30)
    ... 19 more
  1. Error in error-log-0.xml with text:
Certificate with subject [certificate info, see further] is not trusted. Validation failed with error 5950.

But, the certificate info is about the old certificate - the one that is not used anymore.

So, somehow Domino thinks that it needs to use the old certificate, not the new one. But, when I open the corresponding URL on Domino server via browser, it shows the new certificate.

What problem can it be and how to fix it? Thanks.

Ilya Skaba
  • 11
  • 2
  • Could you provide more information please? Check the hierarchy of both certificates, you need the key, the cert AND the chain (issuers) of both of them correctly configured. The error points that with the "trusted" word. – Carlos Garcia May 27 '19 at 08:26
  • @CarlosGarcia I've added all the chain (certificate, issuers, CA) to cacerts and into internet certificates in IBM Administrator. Also I did cross-certified certificate. The error looks the same as here :https://serverfault.com/questions/505273/java-certificateexception-in-domino-9-when-trying-to-access-https-url . I did everything like in the answer, but still the problem is here. It's also strange that it keeps telling about the old certificate, even if i'm using the new one everywhere – Ilya Skaba May 27 '19 at 08:39
  • Here is certificate chain that server uses :https://www.sslshopper.com/ssl-checker.html#hostname=priem.tusur.ru/api/locman I've installed these certificates in cacerts and into internet certificates – Ilya Skaba May 27 '19 at 08:44
  • Don't know Domino at all, but what you definitely should not do is to add all chain to `cacerts`. `cacerts` is for the root certificates ONLY. – Sergey Nudnov May 27 '19 at 15:54
  • 1
    Ok, the actual reason of error was in Diffie-Hellman parameter for DHE ciphersuites, (dhparam.pem), which was 4906 bytes long) – Ilya Skaba May 31 '19 at 09:27

0 Answers0