| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Bad SSL certificate for channel '????'. |
« View previous topic :: View next topic » |
| Author |
Message
|
| RimRim |
 Posted: Tue Jan 24, 2023 6:14 pm Post subject: Bad SSL certificate for channel '????'. |
 |
|
Newbie
Joined: 18 Jan 2023
Posts: 5
|
I am facing SSL error when trying to connect from QM1 to QM2. There are few other channels running from QM1 to other QMGR's and server conn as well. But particulary to 2 QMGR's when trying to connect from QM1 facing error as:
Bad SSL certificate for channel '????'.
A certificate encountered during SSL handshaking is regarded as bad for one of the following reasons: &B (a) it was formatted incorrectly and could not be validated &B (b) it was formatted correctly but failed validation against the Certification Authority (CA) root and other certificates held on the local system &B (c) it was found in a Certification Revocation List (CRL) on an LDAP server &B (d) a CRL was specified but the CRL could not be found on the LDAP server &B (e) an OCSP responder has indicated that it is revoked &B (f) The keysize of the certificate is too small for the configured limit. (MinimumRSAKeySize) &P The channel is '????'; in some cases its name cannot be determined and so is shown as '????'. The remote host is 'XXXXXX'. The channel did not start. &P The details of the certificate which could not be validated are '[Class=]GSKVALMethod::X509
[Issuer=]CN=XXXXXX,
DC=xxx,DC=xxxxxxx,DC=net[#=]7700000733bgh8ewdedaasdadc604768720002733
[Subject=]CN=ibmwebspheremqqm1,OU=MQ,O=XXXXX,L=XXX,C=XX
[Class=]GSKVALMethod::X509[Issuer=]CN=XXXXXXX'. &P
The certificate validation error was 575032.
Check which of the possible causes applies on your system. Correct the error, and restart the channel. &P This error might indicate that the remote end of the channel is configured to send the wrong certificate. Check the certificate label configuration at the remote end of the channel and ensure that the local key repository contains all of the necessary CA certificates.
The certificate validation error was 575032 - The certificate is revoked.
Not sure how come 575032, as from the same qmgr, channels to other qmgr's are running whereas to specific QM2 not working. Kindly provide your inputs.[/i] |
|
| Back to top |
|
 |
| RimRim |
| Posted: Tue Jan 24, 2023 7:09 pm Post subject: |
|
|
Newbie
Joined: 18 Jan 2023
Posts: 5
|
tried possible ways and its working:
1. disabling SSL at both ends.
2. disabling SSLCIPH and enabled SSLPEER at both ends.
when enabling SSLCIPH with below values, channel goes to retrying with bad ssl cert error.
ECDHE_ECDSA_AES_256_GCM_SHA384
ECDHE_ECDSA_AES_256_CBC_SHA384
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SH256
Both qmgr version is 9.2.0.4
so i guess SSLCIPH is the issue, whereas other channels from these qmgrs are using abve sslciph and working |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jan 25, 2023 12:19 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Are you trying to run an Elliptic Curve Cipher with an RSA certificate?
Or a TLS 1.3 cipher against a TLS 1.2 cipher? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| hughson |
| Posted: Wed Jan 25, 2023 8:33 pm Post subject: Re: Bad SSL certificate for channel '????'. |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| RimRim wrote: |
The certificate validation error was 575032 - The certificate is revoked.
Not sure how come 575032, as from the same qmgr, channels to other qmgr's are running whereas to specific QM2 not working. |
I assume the error message you have shown us is from the error log on QM2?
It is telling you that the certificate ibmwebspheremqqm1, is revoked according to either
(c) it was found in a Certification Revocation List (CRL) on an LDAP server
(e) an OCSP responder has indicated that it is revoked
What is the set up on QM2 for either CRL on an LDAP server or OCSP that differs from other queue managers where the QM1 certificate, ibmwebspheremqqm1, is accepted and not rejected because it is revoked?
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
