-
Title
SPS Join fails with SSL Certificate Verify Failed error -
Description
When joining SPS to SPP, Join fails due to a certificate error with the following output (note, this may only be in Debug log):
Error 1:{"response": "Error sending request: SSLError: HTTPSConnectionPool(host='10.10.10.10', port=443): Max retries exceeded with url: /service/core/v3/Cluster/SessionModules (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))","status": null,"url": "<URL IS UNIQUE TO ENVIRONMENT>"}
or
Error 2:
Error joining to SPP: SPS has failed to join to SPP. For more information, see the error details. (JoinFailed)
{
"response": "Error sending request: SSLError: HTTPSConnectionPool(host='examplespp.company', port=443): Max retries exceeded with url: /service/core/v3/Cluster/SessionModules (Caused by SSLError(CertificateError(\"hostname 'examplespp.company' doesn't match '192.0.2.123'\",),))",
"status": null,
"url": "https://examplespp.company/service/core/v3/Cluster/SessionModules"
} -
Cause
The Safeguard for Privileged Passwords SSL Certificate may have invalid data in the Authority Key Identifier field.An example of common, but unaccepted, data in that field is DirName and Serial attributes. -
Resolution
For Error 1 above:
Use an SSL Certificate that contains only the key ID of the Issuing Certificate Authority in the Authority Key Identifier field, conforming to IETF RFC 5280, and complying with OpenSSL and Mozilla policy.Including any other information in that field will result in Join failure.
For Error 2 above:
If SPP's certificate contains SPP's IPv4 address in the Common Name or subjectAltName field, then enter that SPP IP address when linking SPS to SPP.
If SPP's certificate contains only its DNS name in the Common Name or subjectAltName field, then use that SPP hostname when linking SPS to SPP.
Otherwise, set up an SSL server certificate for SPP which matches its IP address in the certificate's Common Name or subjectAltNamefields (see SSL Certificates in the Safeguard Administration Guide) and retry linking. Wait about five minutes to let the timeout of the failed link request expire before starting a new link request after a failed incomplete one. (Alternatively, see Reversing the SPP to SPS join in the Safeguard Administration Guide.)