SSL error when connecting to web service - Forum - OpenEdge Development - Progress Community

SSL error when connecting to web service

 Forum

SSL error when connecting to web service

  • Hi there. I'm trying to connect to a secured web service like:

    hWebService:CONNECT("-WSDL 'https://<server>/EWS/Services.wsdl') .

    But I get the following error:

    "

    Secure Socket Layer (SSL) failure, error code -54: unable to get local issuer

    certificate: for 7999be0d.0 in C:\Progress\OpenEdge\certs (9318)

    "

    Then:

    "

    Connection failure for host myserver port 443 transport HTTPS.

    (9407)

    "
    I have also imported the certicate in certs folder of progress but still I am getting the error.
    Any has solution to this problem??

  • The answer is that the $DLC/certs directory must contain a file 7999be0d.0.   If $DLC/certs does not contain 7999be0d.0, you have not imported the correct certificates for the web server hosting the WSDL document.

    The (9407) error is expected if you get the (9318) error.

  • I have that file in $dlc\certs folder. Still I have the same problem.

    I have used this command:

    certutil -import path_to_cert/certifcate.pem

  • What process did you follow to get the certificate 799be0d.0 into the $DLC/certs directory? The error is insisting that the file does not exist or its contents are invalid.

  • Hi there!

    I have the same problem. Is there any decision of the problem?

    I'm trying to connect to MS Exchange 2010 web services, using this code:

    DEFINE VARIABLE hWebService AS HANDLE.

    DEFINE VARIABLE errmsg AS CHARACTER NO-UNDO INIT "SERVER NOT CONNECTED~n".

    DEFINE VARIABLE i AS INTEGER NO-UNDO.

        CREATE SERVER hWebService.

        hWebService:CONNECT("-WSDLUserid 'usr' -WSDLPassword 'pwd' -WSDL 'https://exchange-test/ews/Exchange.asmx?wsdl' ") NO-ERROR.

        IF NOT hWebService:CONNECTED() THEN DO:

            DO i = 1 TO ERROR-STATUS:NUM-MESSAGES:

                errmsg = errmsg + ERROR-STATUS:GET-MESSAGE(i) + '~n'.

            END.

            MESSAGE errmsg VIEW-AS ALERT-BOX ERROR.

            STOP.

        END.

        MESSAGE 'connected' VIEW-AS ALERT-BOX.

        hWebService:DISCONNECT().

        DELETE OBJECT hWebService.

    I've got the following error messages:

    Secure Socket Layer (SSL) failure. error code -54:  unable to get local issuer certificate: for 1573732e.0 in C:\Progress\OE102b\certs (9318)

    Connection failure for host exchange-test port 443 transport HTTPS. (9407)

    Error loading WSDL document  https://exchange-test/ews/Exchange.asmx?wsdl : Fatal Error: connect operation failed (WinSock reported error=0) (11748)

    I've imported sertificate in my $DLC\certs folder using either

    mkhashfile .pem

    and

    certutil -format PEM -import .pem

    I've obtain .pem next ways:

    - copy to file from Internet Explorer on my local machine;

    - export from Mozzila on MS Exchange Server machine;

    - export from mmc on MS Exchange Server machine.

    Every time the same result.

    Help, please! :-)

    I'm using OE 10.2b on Windows XP Pro SP3 and MS Exchange server 2010 ver. 14.02.0283.003 on Windows Server 2008 R2 SP1

  • It appears that from the error you are still missing a certificate in the $DLC/certs directory. 

    It is possible that you are connecting to a web server that uses a chain of certificates.  If that is the case, you may have to import multiple certificates into $DLC/certs using certutil.  The trick is to discover which one is missing.  Debugging a missing certificate can be somewhat complicated and I am not sure this forum is the right place to go into that process.  But you can start by ensuring that certutil -import created a file 1573732e.0.  AFter that you will have to debug the certificate validation process used in your ABL client.

  • Thank you, Michael, for the fast response!

    Here is the sslc utility info obtained by the following command:

    sslc s_client -connect 10.10.1.100/ews/Exchange.asmx?wsdl:443 -showcerts -CApath c:\Progress\OE102b\certs

    That's the result:

    Loading 'screen' into random state - done

    CONNECTED(00000778)

    depth=0 /CN=exchange-test

    verify error:num=20:unable to get local issuer certificate

    verify return:1

    depth=0 /CN=exchange-test

    verify error:num=21:unable to verify the first certificate

    verify return:1

    ---

    Certificate chain

    0 s:/CN=exchange-test

       i:/CN=exchange-test

    -----BEGIN CERTIFICATE-----

    MIIDI.......................

    MRYwF.......................

    MTExN.......................

    AQEBB.......................

    Zqj2a.......................

    3ETK+.......................

    kGV/2.......................

    +r2X2.......................

    QrV8f.......................

    VR0PA.......................

    LXRlc.......................

    MAAwD.......................

    nhurN.......................

    OKv3C.......................

    GFpKr.......................

    +yN14.......................

    wurcv.......................

    -----END CERTIFICATE-----

    ---

    Server certificate

    subject=/CN=exchange-test

    issuer=/CN=exchange-test

    ---

    No client certificate CA names sent

    ---

    SSL handshake has read 958 bytes and written 444 bytes

    ---

    New, TLSv1/SSLv3, Cipher is AES128-SHA

    Server public key is 2048 bit

    Compression: NONE

    Expansion: NONE

    SSL-Session:

        Protocol  : TLSv1

        Cipher    : AES128-SHA

        Session-ID: AF0100004..............................

        Session-ID-ctx:

        Master-Key: C39A667..................................................

        Key-Arg   : None

        Start Time: 1333696754

        Timeout   : 300 (sec)

        Verify return code: 21 (unable to verify the first certificate)

    ---

    read:errno=10054

    proenv>

    Here is some certificate info viewed by Internet Explorer:

    General tab:

    This certificate is intended for the following purposes:

    - Ensures the identity of a remote computer

    - All issuance policies

    Issued to: exchange-test

    Issued by: exchange-test

    Certification path tab:

    exchange-test

    Concerning the file 1573732e.0 - it is present in $DLC\certs directory and also the pem file (exchange-test.pem) is there. 

    Is this enought to determine the problem?

  • You provided exactly the right information to start debugging.
    Just to double check - when you list the 1573732e certificate ( certutil -list 1573732e ) you see the subject and issuer fields as "/CN=exchange-test".  You have probably already done this, but I had make sure.  
    One possible solution is to add '-nohostverify' to the web service CONNECT.  OE may be complaining about the IP address of the server not matching the CN in the server's certificate.
    Another possiblity may be that the PKCS certificate validation standard is to ridgid for the test certificate you are using.   Less of a possibility - but you could try adding '-sslverify 1' to the startup options.
    After that - we're into reams of not very pretty OE logging.  I would suggest trying the simple things first before resorting to the debug logging.
  • Hallo, Michael!

    Here is the command prompt for certutil -list command:

    proenv>certutil -list 1573732e

    Certificate store entry: 1573732e

    Certificate:

    subject= /CN=exchange-test

    issuer= /CN=exchange-test

    notBefore=Mar 21 11:41:00 2012 GMT

    notAfter=Mar 21 11:41:00 2017 GMT

    In the CONNECT method I use the host name like this:

    hWebService:CONNECT("-WSDLUserid 'usr' -WSDLPassword 'pwd' -WSDL 'https://exchange-test/ews/Exchange.asmx?wsdl' ") NO-ERROR.

    In my hosts file I have defined host like this:

    10.10.1.100     exchange-test

    I've tried this one:

    hWebService:CONNECT("-WSDLUserid 'usr' -WSDLPassword 'pwd' -nohostverify -WSDL 'https://10.10.1.100/ews/Exchange.asmx?wsdl' ") NO-ERROR.

    but the result is "not connected" and errors are the same.

    Excuse me, but i can't understand to which startup options to add '-sslverify 1'. Please explain!

    Thank you again for the fast reply! I appreciate your help very much! Thank you! :-)

  • Add "-sslverify 1" to the ABL session's startup parameters.  I was not very specific.

    The SSL certificate verification gets the peer's dns name and looks for it in the server certificate's "CN" field.  So it should be looking for "exchange-test".

  • Adding "-sslverify 1" to ABL session startup parameters does not help. The errors are the same.

    I'll chek certificates on server machine on monday.

    Thank you Michael!

    Have a nice weekend!  :-)

  • The last -best- idea is to turn on the SSL connection tracing.   Tons of ugly SSL detail about the certificate verification process.  If you can get the log information - do not post it here.  E-mail me.

    Set the environment variable before you run your start the ABL test procedure that connects to the WebService...

       set SSLSYS_DEBUG_LOGGING=5 ; export SSLSYS_DEBUG_LOGGING

    Hopefully this will tell us something useful.

  • Hi ,

    I have the exact same issue with . May I know if this issue have been resolved and I would like to know the solutions to it. Thank you.

  • Hello,

    nborshukov has not responded to tell us whether they solved their problem or not, and I have had no private conversation with them outside this forum.   Based on the date of the last post, I am assuming their problem was resolved.

    To recap: the two biggest errors people make is not having the right ROOT and/or intermediate CA certificates registered in the client's $DLC/certs with the certutil utility (including self-signed), and in creating a certificates without the server's legal DNS name in the certificate's CN subfield of the subject field.   Please check that you have met both of these requirements.

  • Hi ,

    Thanks for your quick reply.

    It seems to me that I have a certificate chain issue. I am using a self-signed certificate.

    I wanted to connect my Progress client application to OE 10.2B AppServer through secured AIA (HTTPS) but encountered these error messages:

    Secure Socket Layer (SSL) failure. error code -54: unable to get local issuer certificate: for 273e6043.0 in C:\PROGRESS\OE102B\certs (9318)

    Connection failure for host ttl port 443 transport HTTPS. (9407)

    Application server connect failure. (5468)

    If connecting through HTTP is fine.

    I further tested with the provided AIA Java servlet to test for HTTPS with success:

    Aia1 OK

    Connection Pool (numCurrentConnections=0, numTotalConnections=0)

    This is my appsrvtt.d setup:

    "busObj" "ttl" "" yes no "" "busObjXYZ" "A" "https://ttl/aia/Aia?AppService=busObjXYZ"

    I ran sslc command to test my certificate:

    proenv> sslc s_client -connect ttl:443 -showcerts -CApath c:\progress\oe102b\certs

    My results:

    Loading 'screen' into random state - done
    CONNECTED(00000160)
    depth=0 /CN=ttl.xyz.com
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 /CN=ttl.xyz.com
    verify error:num=21:unable to verify the first certificate
    verify return:1
    ---
    Certificate chain
     0 s:/CN=ttl.xyz.com
       i:/CN=ttl.xyz.com
    -----BEGIN CERTIFICATE-----
    MII...
    MSA...
    NTN...
    bXM...
    USM...
    ETR...
    ZQh...
    am/...
    Rsp...
    fcL...
    AwE...
    Tzd...
    8M3...
    DoB...
    RKq...
    kub...
    -----END CERTIFICATE-----
    ---
    Server certificate
    subject=/CN=ttl.xyz.com
    issuer=/CN=ttl.xyz.com
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 910 bytes and written 444 bytes
    ---
    New, TLSv1/SSLv3, Cipher is AES128-SHA
    Server public key is 2048 bit
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : AES128-SHA
        Session-ID: 733...
        Session-ID-ctx:
        Master-Key: B1E...
        Key-Arg   : None
        Start Time: 1392696458
        Timeout   : 300 (sec)
        Verify return code: 21 (unable to verify the first certificate)
    ---
    read:errno=10054

    I have imported the correct certificate into my progress "certs" folder.

    Do you have any advice?

    Meantime I'll find out how I can debug from a certificate chain.

    Thanks in advance.