After upgrading CA Directory, Provisioning Server cannot connect to its DSA

Document ID : KB000004948
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

I am trying to update my production environment to CA Directory 12 build 12074 release, but when I updated and started the DSA, the CA Provisioning environment didn't connect with the CADIR Pool. The errors are below:

 

[66] 20161022.201005.970 WARN : ssld_ssl_request failed 

[66] 20161022.201005.970 WARN : TLS/SSL handshake failed for call from 172.25.144.11:50543 

[67] 20161022.201326.724 WARN : ERROR IN HANDSHAKE 

[67] 20161022.201326.724 WARN : 2ad40c0c0e88- 16030000 47010000 43030058 0be48647 

[67] 20161022.201326.724 WARN : 67:error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number:s3_srvr.c:1020: 

[67] 20161022.201326.724 WARN : ssld_ssl_request failed 

[67] 20161022.201326.724 WARN : TLS/SSL handshake failed for call from 172.25.144.12:60113 

[70] 20161022.201539.264 WARN : ERROR IN HANDSHAKE 

[70] 20161022.201539.264 WARN : 2ad40c0b6488- 16030000 47010000 43030058 0be50b7f 

[70] 20161022.201539.264 WARN : 2ad40c0b64c8- 0012000a 00090005 00040100 

[70] 20161022.201539.264 WARN : 70:error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number:s3_srvr.c:1020: 

[70] 20161022.201539.264 WARN : ssld_ssl_request failed 

[70] 20161022.201539.264 WARN : TLS/SSL handshake failed for call from 172.25.144.11:50570 

[72] 20161022.201753.595 WARN : ERROR IN HANDSHAKE 

[72] 20161022.201753.595 WARN : 2ad40c0c98d8- 16030000 47010000 43030058 0be59184 

[72] 20161022.201753.595 WARN : 72:error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number:s3_srvr.c:1020: 

[72] 20161022.201753.595 WARN : ssld_ssl_request failed 

[72] 20161022.201753.595 WARN : TLS/SSL handshake failed for call from 172.25.144.11:50598 

[67] 20161022.201855.901 WARN : ERROR IN HANDSHAKE 

[67] 20161022.201855.901 WARN : 2ad40c0c0e88- 16030000 47010000 43030058 0be5cfdc ....G...C..X.... 

[67] 20161022.201855.901 WARN : 2ad40c0c0e98- 42b1f963 7ca36fda b4c30990 f36ff14a B..c|.o......o.J 

[67] 20161022.201855.901 WARN : 2ad40c0c0ea8- fc5dc04c 0f263a99 e168f600 001c0039 .].L.&:..h.....9 

[67] 20161022.201855.901 WARN : 2ad40c0c0eb8- 00380035 00330032 002f0016 00150013 .8.5.3.2./...... 

[67] 20161022.201855.901 WARN : 2ad40c0c0ec8- 0012000a 00090005 00040100 ............ 

[67] 20161022.201855.901 WARN : 67:error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number:s3_srvr.c:1020: 

[67] 20161022.201855.901 WARN : ssld_ssl_request failed 

[67] 20161022.201855.901 WARN : TLS/SSL handshake failed for call from 172.25.144.11:50623 

[70] 20161022.202005.976 WARN : ERROR IN HANDSHAKE 

 

[70] 20161022.202005.976 WARN : 2ad40c0b64c8- 0012000a 00090005 00040100 

[70] 20161022.202005.976 WARN : 70:error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number:s3_srvr.c:1020: 

[70] 20161022.202005.976 WARN : ssld_ssl_request failed 

[70] 20161022.202005.976 WARN : TLS/SSL handshake failed for call from 172.25.144.11:50656 

Environment:
CA Directory r12.0 SP10RedHat 6
Cause:

Customer was missing steps on the SSL certificate generation process. Please check the next sections of this article to get the procedures.

Resolution:

There are two ways to restore the SSL communication between CA Directory and Provisioning Components after upgrading CA Directory. You can restore the trusted.pem file (and impd_trusted.pem file) from backup, or generate it again using dxcertgen.

 

- If you prefer to regenerate the trusted.pem file by running the dxcertgen command (dxcertgen -d 3650 certs), please make sure to run it only on one CA Directory machine, then copy the trusted.pem file to the other CA Directory machines that hosts the same DSAs (under dxserver\config\ssld). Once this is done: 

 

1. Open the dxserver\config\ssld\trusted.pem using a text editor 

2. Copy the last section (incuding ---BEGIN CERT--- and ---END CERT--- lines) 

3. Paste it at the bottom of dxserver\config\ssld\impd_trusted.pem 

4. Restart the DSAs (dxserver stop all / dxserver start all) and restart all Provisioning services. 

 

- If you prefer to restore the trusted.pem and impd_trusted.pem from backup, then you have nothing else to do, just restart all DSAs and Provisioning services and you are good to go.

Additional Information: