SPS Join fails with SSL Certificate Verify Failed error (4267611)

Tchater maintenant avec le support

Obtenir une aide instantanée
Terminer l’enregistrement

Se connecter

Demander les tarifs

Contacter le service des ventes

Retour

Commentaire envoyé

Cet article vous a-t-il à résoudre un problème ?

Sélectionner une évaluation

Titre

SPS Join fails with SSL Certificate Verify Failed error
Description

When joining SPS to SPP, Join fails due to a certificate error with the following output (note, this may only be in Debug log):

Error 1:

{

"response": "Error sending request: SSLError: HTTPSConnectionPool(host='10.10.10.10', port=443): Max retries exceeded with url: /service/core/v3/Cluster/SessionModules (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))",

"status": null,

"url": "<URL IS UNIQUE TO ENVIRONMENT>"

}

or

Error 2:
Error joining to SPP: SPS has failed to join to SPP. For more information, see the error details. (JoinFailed)

{
"response": "Error sending request: SSLError: HTTPSConnectionPool(host='examplespp.company', port=443): Max retries exceeded with url: /service/core/v3/Cluster/SessionModules (Caused by SSLError(CertificateError(\"hostname 'examplespp.company' doesn't match '192.0.2.123'\",),))",
"status": null,
"url": "https://examplespp.company/service/core/v3/Cluster/SessionModules"
}
Cause

The Safeguard for Privileged Passwords SSL Certificate may have invalid data in the Authority Key Identifier field.

An example of common, but unaccepted, data in that field is DirName and Serial attributes.
Résolution

For Error 1 above:
Use an SSL Certificate that contains only the key ID of the Issuing Certificate Authority in the Authority Key Identifier field, conforming to IETF RFC 5280, and complying with OpenSSL and Mozilla policy.

Including any other information in that field will result in Join failure.

For Error 2 above:
If SPP's certificate contains SPP's IPv4 address in the Common Name or subjectAltName field, then enter that SPP IP address when linking SPS to SPP.

If SPP's certificate contains only its DNS name in the Common Name or subjectAltName field, then use that SPP hostname when linking SPS to SPP.

Otherwise, set up an SSL server certificate for SPP which matches its IP address in the certificate's Common Name or subjectAltNamefields (see SSL Certificates in the Safeguard Administration Guide) and retry linking. Wait about five minutes to let the timeout of the failed link request expire before starting a new link request after a failed incomplete one. (Alternatively, see Reversing the SPP to SPS join in the Safeguard Administration Guide.)

Commentaire envoyé

Cet article vous a-t-il à résoudre un problème ?

Sélectionner une évaluation

Demander un article de la base de connaissances

Contenu recommandé

Produit(s) :: One Identity Safeguard for Privileged Passwords
7.0.4.1 LTS, 7.0.4 LTS, 7.0.3.1 LTS, 7.0.3 LTS, 7.0.2 LTS, 7.0.1 LTS, 7.0 LTS, 6.14, 6.0.13 LTS, 6.0.12 LTS, 6.0.7 LTS, 6.7.3, 6.7.2, 6.7.1, 6.7; One Identity Safeguard for Privileged Sessions
7.0.4 LTS, 7.0.3.1 LTS, 7.0.3 LTS, 7.0.2.1 LTS, 7.0.2 LTS, 7.0.1.1 LTS, 7.0.1 LTS, 7.0 LTS, 6.14, 6.0.14 LTS, 6.0.13, 6.0.12, 6.0.11, 6.9.5, 6.9.4, 6.9.3, 6.9.2, 6.0.10, 6.0.9, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0 LTS

Sujet(s) :: Configuration

Historique de l’article :: Créé le : 8/28/2020
Dernière mise à jour le : 12/1/2023

Rechercher tous les articles

Veuillez sélectionner votre produit

Afin de mieux répondre à vos besoins, précisez l'objet du tchat:

Solutions recommandées pour votre problème

SPS Join fails with SSL Certificate Verify Failed error (4267611)

Titre

Description

Cause

Résolution

Leave a Comment