Archived Forum Post
Index of archived forum posts
Question:
Archived Forum PostQuestion:
I'm connecting to a host that requires a client certificate. Is the below failure rejecting my client certificate or does it mean chilkat is rejecting the remote servers certificate?
Thanks!
ChilkatLog:
GetServerSslCert:
DllDate: Dec 30 2015
ChilkatVersion: 9.5.0.55
UnlockPrefix: NTHttp
Architecture: Little Endian; 64-bit
Language: Linux Perl
VerboseLogging: 0
domain: mysite.com
port: 443
socket2Connect:
connect2:
connectImplicitSsl:
clientHandshake:
clientHandshake2:
readHandshakeMessages:
processAlert:
TlsAlert:
level: fatal
descrip: unknown certificate authority
--TlsAlert
--processAlert
Aborting handshake because of fatal alert.
--readHandshakeMessages
--clientHandshake2
--clientHandshake
Client handshake failed. (3)
--connectImplicitSsl
ConnectFailReason: 109
--connect2
--socket2Connect
Failed.
--GetServerSslCert
--ChilkatLog
descrip: unknown certificate authority
The signer of the certificate can not be validated on your system. Either the server has a self signed certificate or your system doesn't have the latest server authorities available to it.
The GetServerSslCert method is for retrieving the server's SSL/TLS certificate. There shouldn't be a need to use a client-certificate for this purpose.
What GetServerSslCert does is to simply make a connection to the domain/port specified, and to complete the TLS handshake. Part of the TLS handshake involves the server sending its certificate to the client. If you set a client-side certificate, then Chilkat will include the client-side certificate in the TLS handshake. (But there's really no need for that in this case.) Chilkat does it, and the server examines the client certificate and doesn't like it because it doesn't know about the certificate authority, and this causes the server (or this particular server) to issue a TLS Abort message to abort the TLS handshake.
The solution for GetServerSslCert is to omit setting the client-side certificate for that call. If your app then needs to send a POST, GET, or whatever where the client cert is needed for authentication (i.e. two-way SSL/TLS), then you'll have to first sort out the problem with the fact that your cert's root is not recognized by the server. If your cert was a self-signed certificate, then the only solution is to get a cert from a cert authority.
The remote server is rejecting your client certificate.