05-29-2017 05:01 AM
We have recently reboot the Linux server after that we are getting below error on Chrome browser while opening the SAS portal:-
https://sasxxxxxxxxxxxxxxxx/ Peer’s Certificate issuer is not recognized. HTTP Strict Transport Security: false HTTP Public Key Pinning: false Certificate chain:
= -----END CERTIFICATE-----
Before reboot, we were open the SAS VA portal with https security.
05-29-2017 05:09 AM
I think that the configuration of the certificate chain, or the certificate chain file (or one of its dependant certificates) has been modified since the last SAS Web Server service restart (or server reboot).
I would check that part, with all the SAS services stopped, only stopping and starting the SAS Web Server (script is in /Lev1/Web/WebServer/bin/). You will need to check the integrity of conf/extras/httpd-ssl.cfg and the certificate files at the ssl directory).
After each SAS Web Server restart, try to connect with a web browser to the URL ( https://sasxxxxxxxxxxxxxxxx/ ).
Once you are ready here, and the web browser can fully validate the certificates (server's, Intermediates and CA) and its chain, I would import the certificates on the SAS PrivateJRE (just to be sure) before starting all the SAS Services.
Of course, you can do the import with the SAS Deployment Manager, on each server of your SAS deployment, and each client using SMC. On the right order. Or, if you are used to it, just with the keytool command from the SASPrivateJRE.
05-29-2017 09:27 AM
Thanks for the reply.
I already checked wth IT team they never modified any certification. There is no issue when I open the portal on old browsers like Internet Explorer and Chrome because these browsers I am using before the reboot.
But once I open a page on new machines with Chrome or Internet Browers after reboot its throws same certificate error as I highlighted in the last track.
05-29-2017 09:41 AM
Oh, shoot, wait.
Now I remember. You are working with some virtualized clients such as Citrix or M-AppV, right?
So my new understanding is that this problem only happens on some browsers, but it is fine on others. Is this correct? Otherwise, I cannot understand very well, sorry.
05-29-2017 09:57 AM
New browsers probably means also new citrix servers (different ones). This would require to import the certificates (the full chain) into the new windows citrix servers of the cluster, and on the Chrome private certificate store (something new from the new version of Chrome).
05-29-2017 10:05 AM
So this is what you need to prepare and instruct to the Citrix admins, to import the Server certificates (ensure that CA root and CA intermediates are there, and them import the server certificate).
I understand this is not a mistery to you or to them, but if you need instructions please let me know.
05-29-2017 10:27 AM
If it works OK on some web browsers (Citrix servers), but on the new ones it does not work, it is not a SAS-related issue, it is just SSL certificates one.
Tehy will no focus on importing the CA, Intermediate and server certs into the appropiate certificate stores: Windows (or IE) and Chrome.
For the first:
For the second:
- (you can google others) https://support.globalsign.com/customer/portal/articles/1211541-install-client-digital-certificate--...