4

We are getting this error

"BW-HTTP-100300 Job-29000 Error in [Processes/Services/HTTP Request/Process Definition.process/Send HTTP Request] An IOException was thrown while trying to execute the Http method caused by: java.io.IOException: Failed to create secure client socket: Server certificate rejected by ChainVerifier"

I have done the following: 1. Created send http request. 2. Configured everything in the Configuration tab and the Input tabs.  3. Created Identity and imported the same into Identity 4. Downloaded the certificate and imported it in to 'Configure SSL' 5. While running the process I get the error mentioned above. 

Am I missing anything?   Please provide me some guidance.  Thanks in advance

Ken White
  • 123,280
  • 14
  • 225
  • 444
xxxxxuser
  • 57
  • 1
  • 1
  • 5

2 Answers2

5

Downloading the server certificate is not enough, you need to download the whole certificate chain from the root CA down to the server cert.

Certificate chain

In the above example, you need to download all certs (except the last one mail.google.com which is optional) and add them to your trusted certificates folder.

Nicolas Heitz
  • 664
  • 5
  • 10
  • 1
    I have downloaded the certificates from the web browser from where the service was responding correctly.The name of the certificates are following: 1)Thawte SGC CA - G2 2)VeriSign Class 3 Public Primary Certification Authority - G5 3) *_wvi_org We imported all three certificates to our tibco project then and used it but it still shows the same error.Is there any sequence in which we need to import our certificates? – xxxxxuser Aug 08 '14 at 09:29
  • The import sequence doesn't matter. Have you tried using OpenSSL to download the cert chain? You might be missing one. Try `openssl s_client -showcerts -connect :`. Also, make sure the certs are in PEM (i.e. base64) format. Are you accessing the remote server directly or through a proxy? – Nicolas Heitz Aug 08 '14 at 09:55
2

Have you enabled VerifyHostName option while making the connection? If yes, then the server name should be in the allowed list too. In most cases you dont need this option enabled.

Ankur Jain
  • 38
  • 1
  • 5