CA Mobile OTP users get "Unexpected Network Error" intermittently

Document ID : KB000122205
Last Modified Date : 01/12/2018
Show Technical Document Details
Issue:
During provisioning of an account using CA Mobile OTP App customer's get a "Unexpected Nework Error". This could be an intermittent or a solid failure. Generally, the intermittent failure like such points to high availability architecture where servers or proxies (fielding the initial provisioning request from the CA Mobile OTP client) are Load Balanced. 

The resultant error screen on an "Add Account" is like such with "Unexpected Network Error" at the bottom.

User-added image

Diagnosis of the issue

1. Use the OpenSSL s_client to see if the entire Certificate chain up to the Root Certificate is returned when hitting the back end server. if not returned then the Certificates have not been applied correctly in Java CACERTS on the back end or proxy servers. 

Here is an example - Error-Example - showing that only Intermediate Certificates are returned but the Root Certificate is not returned. Certificate Chain in this example did not return Root Certificate which is -  "AddTrust External CA Root" (shown only in Success Example below)

================ Start of Error-Example using openssl s_client ==============
C:\Program Files\OpenSSL\bin>openssl s_client -connect smarcot.com:443
CONNECTED(00000198)
depth=0 C = US, postalCode = 95054, ST = CA, L = Santa Clara, street = 3965 Freedom Circle, O = "Arcot, Inc", OU = SecuritySupport, OU = CAsupport, CN = smarcot.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, postalCode = 95054, ST = CA, L = Santa Clara, street = 3965 Freedom Circle, O = "Arcot, Inc", OU = SecuritySupport, OU = CAsupport, CN = smarcot.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:C = US, postalCode = 95054, ST = CA, L = Santa Clara, street = 3965 Freedom Circle, O = "Arcot, Inc", OU = SecuritySupport, OU = CAsupport, CN = smarcot.com
   i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Organization Validation Secure Server CA

.......................................
.......................................
.......................................
.......................................

Start Time: 1543579714
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
---
closed

=================== End of Error-Example using openssl s_client ==============




================ Start of Success-Example using openssl s_client ==============
Here is an example -  Success Example 2 - showing a Success case where Certificate Chain in the excerpt below returns the Root Certificate which is -  "AddTrust External CA Root"

C:\Program Files\OpenSSL\bin>openssl s_client -connect smarcot.com:443
CONNECTED(0000019C)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:serialNumber = 2221857, jurisdictionC = US, jurisdictionST = CA, businessCategory = Private Organization, C = US, postalCode = 95054, ST = CA, L = Santa Clara, street = 3965 Freedom Circle, O="Arcot, inc", OU = SecuritySupport, OU = COMODO EV Multi-Domain SSL, CN = smarcot.com
   i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Extended Validation Secure Server CA
 1 s:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
   i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
 2 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
   i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
 3 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Organization Validation Secure Server CA
   i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
 4 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Extended Validation Secure Server CA
   i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
 5 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
   i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
.......................................
.......................................
.......................................
.......................................

 Start Time: 1543579433
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: no---
closed
============= End of Success-Example using openssl s_client ==============









 
Environment:
CA Mobile OTP App running on a Android or iOS device. 
Cause:
SSL Certificates  are not properly installed on the servers. 
Resolution:
Install the certificates iin JAVA cacerts location on all proxy servers where the CA Mobile OTP client will try to send the enrollment request to the back end CA Arcot AFM servers directly or via proxy Servers. 
Additional Information:
None.