BookmarkSubscribeRSS Feed
japsas100
Pyrite | Level 9

We have recently reboot the Linux server after that we are getting below error on Chrome browser while opening the SAS portal:- 

 

https://sasxxxxxxxxxxxxxxxx/ Peer’s Certificate issuer is not recognized. HTTP Strict Transport Security: false HTTP Public Key Pinning: false Certificate chain:

 

-----BEGIN CERTIFICATE-----

zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz

zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz

= -----END CERTIFICATE----- 

 

Before reboot, we were open the SAS VA portal with https security. 

9 REPLIES 9
JuanS_OCS
Amethyst | Level 16

Hello @japsas100,

 

I think that the configuration of the certificate chain, or the certificate chain file (or one of its dependant certificates) has been modified since the last SAS Web Server service restart (or server reboot). 

 

I would check that part, with all the SAS services stopped, only stopping and starting the SAS Web Server (script is in /Lev1/Web/WebServer/bin/). You will need to check the integrity of conf/extras/httpd-ssl.cfg and the certificate files at the ssl directory).

 

After each SAS Web Server restart, try to connect with a web browser to the URL ( https://sasxxxxxxxxxxxxxxxx/ ).

 

Once you are ready here, and the web browser can fully validate the certificates (server's, Intermediates and CA) and its chain, I would import the certificates on the SAS PrivateJRE (just to be sure) before starting all the SAS Services.

 

Of course, you can do the import with the SAS Deployment Manager, on each server of your SAS deployment, and each client using SMC. On the right order. Or, if you are used to it, just with the keytool command from the SASPrivateJRE.

 

japsas100
Pyrite | Level 9

Thanks for the reply.

 

I already checked wth IT team they never modified any certification. There is no issue when I open the portal on old browsers like Internet Explorer and Chrome because these browsers I am using before the reboot.   

 

But once I open a page on new machines with Chrome or Internet Browers after reboot its throws same certificate error as I highlighted in the last track.

 

Please advise?  

JuanS_OCS
Amethyst | Level 16

Oh, shoot, wait.

 

Now I remember. You are working with some virtualized clients such as Citrix or M-AppV, right?

 

So my new understanding is that this problem only happens on some browsers, but it is fine on others. Is this correct? Otherwise, I cannot understand very well, sorry.

japsas100
Pyrite | Level 9

Yes, this problem only happens only on new browsers which I am using after reboot. I am using Citrix and local network when I am in the office.

JuanS_OCS
Amethyst | Level 16

New browsers probably means also new citrix servers (different ones). This would require to import the certificates (the full chain) into the new windows citrix servers of the cluster, and on the Chrome private certificate store (something new from the new version of Chrome).

japsas100
Pyrite | Level 9

yes, This is correct.

JuanS_OCS
Amethyst | Level 16

So this is what you need to prepare and instruct to the Citrix admins, to import the Server certificates (ensure that CA root and CA intermediates are there, and them import the server certificate).

 

I understand this is not a mistery to you or to them, but if you need instructions please let me know.

japsas100
Pyrite | Level 9

Hi, Not understand completely.  Could you please explain in details? Is there any action need to perform from SAS end?

JuanS_OCS
Amethyst | Level 16

If it works OK on some web browsers (Citrix servers), but on the new ones it does not work, it is not a SAS-related issue, it is just SSL certificates one.

 

Tehy will no focus on importing the CA, Intermediate and server certs into the appropiate certificate stores: Windows (or IE) and Chrome.

 

For the first:

http://support.sas.com/documentation/cdl/en/secref/69831/HTML/default/viewer.htm#p1g2v5c010q6gyn1fi8...

http://support.sas.com/documentation/cdl/en/secref/69831/HTML/default/viewer.htm#n0q3w2063kru3bn1fr6...

 

For the second:

- (you can google others) https://support.globalsign.com/customer/portal/articles/1211541-install-client-digital-certificate--...

- https://wiki.wmtransfer.com/projects/webmoney/wiki/Installing_root_certificate_in_Google_Chrome

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 9 replies
  • 1322 views
  • 0 likes
  • 2 in conversation