|  | 
 
  
    | RSS Feed - WebSphere MQ Support | RSS Feed - Message Broker Support |  
 
  
	|    |  |  
  
	| Bad SSL certificate for channel '????'. | « View previous topic :: View next topic » |  
  	| 
		
		
		  | Author | Message |  
		  | RimRim | 
			  
				|  Posted: Tue Jan 24, 2023 6:14 pm    Post subject: Bad SSL certificate for channel '????'. |   |  |  
		  | Newbie
 
 
 Joined: 18 Jan 2023Posts: 5
 
 
 | 
			  
				| I am facing SSL error when trying to connect from QM1 to QM2. There are few other channels running from QM1 to other QMGR's and server conn as well. But particulary to 2 QMGR's when trying to connect from QM1 facing error as: 
 Bad SSL certificate for channel '????'.
 
 A certificate encountered during SSL handshaking is regarded as bad for one of the following reasons: &B (a) it was formatted incorrectly and could not be validated &B (b) it was formatted correctly but failed validation against the  Certification Authority (CA) root and other certificates held on the local system &B (c) it was found in a Certification Revocation List (CRL) on an LDAP server &B (d) a CRL was specified but the CRL could not be found on the LDAP server &B (e) an OCSP  responder has indicated that it is revoked &B (f) The keysize of the certificate is too small for the configured limit. (MinimumRSAKeySize) &P The channel is '????'; in some cases its name cannot be determined and so is shown as '????'. The remote  host is 'XXXXXX'. The channel did not start. &P The details of the certificate which could not be validated are '[Class=]GSKVALMethod::X509
 [Issuer=]CN=XXXXXX,
 DC=xxx,DC=xxxxxxx,DC=net[#=]7700000733bgh8ewdedaasdadc604768720002733
 [Subject=]CN=ibmwebspheremqqm1,OU=MQ,O=XXXXX,L=XXX,C=XX
 [Class=]GSKVALMethod::X509[Issuer=]CN=XXXXXXX'. &P
 The certificate validation error was 575032.
 
 Check which of the possible causes applies on your system. Correct the error, and restart the channel. &P This error might indicate that the remote end of the channel is configured to send the wrong certificate. Check the certificate label  configuration at the remote end of the channel and ensure that the local key repository contains all of the necessary CA certificates.
 
 
 The certificate validation error was 575032 - The certificate is revoked.
 
 Not sure how come 575032, as from the same qmgr, channels to other qmgr's are running whereas to specific QM2 not working. Kindly provide your inputs.[/i]
 |  |  
		  | Back to top |  |  
		  |  |  
		  | RimRim | 
			  
				|  Posted: Tue Jan 24, 2023 7:09 pm    Post subject: |   |  |  
		  | Newbie
 
 
 Joined: 18 Jan 2023Posts: 5
 
 
 | 
			  
				| tried possible ways and its working: 1. disabling SSL at both ends.
 2. disabling SSLCIPH and enabled SSLPEER at both ends.
 
 when enabling SSLCIPH with below values, channel goes to retrying with bad ssl cert error.
 ECDHE_ECDSA_AES_256_GCM_SHA384
 ECDHE_ECDSA_AES_256_CBC_SHA384
 TLS_AES_256_GCM_SHA384
 TLS_AES_128_GCM_SH256
 
 Both qmgr version is 9.2.0.4
 so i guess SSLCIPH is the issue, whereas other channels from these qmgrs are using abve sslciph and working
 |  |  
		  | Back to top |  |  
		  |  |  
		  | fjb_saper | 
			  
				|  Posted: Wed Jan 25, 2023 12:19 am    Post subject: |   |  |  
		  |  Grand High Poobah
 
 
 Joined: 18 Nov 2003Posts: 20767
 Location: LI,NY
 
 | 
			  
				| Are you trying to run an Elliptic Curve Cipher with an RSA certificate? Or a TLS 1.3 cipher against a TLS 1.2 cipher?
  _________________
 MQ & Broker admin
 |  |  
		  | Back to top |  |  
		  |  |  
		  | hughson | 
			  
				|  Posted: Wed Jan 25, 2023 8:33 pm    Post subject: Re: Bad SSL certificate for channel '????'. |   |  |  
		  |  Padawan
 
 
 Joined: 09 May 2013Posts: 1967
 Location: Bay of Plenty, New Zealand
 
 | 
			  
				| 
   
	| RimRim wrote: |  
	| The certificate validation error was 575032 - The certificate is revoked. 
 Not sure how come 575032, as from the same qmgr, channels to other qmgr's are running whereas to specific QM2 not working.
 |  I assume the error message you have shown us is from the error log on QM2?
 
 It is telling you that the certificate ibmwebspheremqqm1, is revoked according to either
 (c) it was found in a Certification Revocation List (CRL) on an LDAP server
 (e) an OCSP responder has indicated that it is revoked
 
 What is the set up on QM2 for either CRL on an LDAP server or OCSP that differs from other queue managers where the QM1 certificate, ibmwebspheremqqm1, is accepted and not rejected because it is revoked?
 
 Cheers,
 Morag
 _________________
 Morag Hughson @MoragHughson
 IBM MQ Technical Education Specialist
 Get your IBM MQ training here!
 MQGem Software
 |  |  
		  | Back to top |  |  
		  |  |  
		  |  |  |  
  
	|    |  | Page 1 of 1 |  
 
 
  
  	| 
		
		  | 
 
 | You cannot post new topics in this forum You cannot reply to topics in this forum
 You cannot edit your posts in this forum
 You cannot delete your posts in this forum
 You cannot vote in polls in this forum
 
 |  |  |  |