RE: Certificate mismatch error

[Edward Quick <edwardquick@xxxxxxxxxxx>]

Ok, I guess your job is to show that apache is set up correctly and the fault is on the client side, so try these tests:

Using curl, with your root certificate file (you shouldn't need the intermediate one if you set apache up right), run this:

Test 1:

$ curl --cacert ./root.pem https://abc.com
$ curl --cacert ./root.pem https://xyz.com

If that returns an error, try:

Test 2:
$ curl -k --cacert ./root.pem https://abc.com

That should work (but disables ssl validation). If it doesn't, try curl -v or read the curl man page :-)

If that worked try:

Test 3:
Concatenate the intermediate cert (pem format) to the end of root.crt, and rerun the curl script:

$ curl --cacert ./root_and_intermediate.pem https://abc.com
$ curl --cacert ./root_and_intemediate.pem https://xyz.com

---

Date: Tue, 26 Feb 2013 20:49:54 +0530
From: bijayant.mws@xxxxxxxxx
To: users@xxxxxxxxxxxxxxxx
Subject: Re: Certificate mismatch error

Just got an update from client that after importing the intermediate cert also, the issue is not resolved !! 

ORA-06512: at "SYS.UTL_HTTP", line 1029

ORA-29024: Certificate validation failure (-29273)

Thanks & Regards,

BIjayant Kumar

On Tue, Feb 26, 2013 at 7:49 PM, Kumar Bijayant <bijayant.mws@xxxxxxxxx> wrote:

The certificate is installed by third party (trust center). I think the same and asked them to check and install if it is not there. Just waiting for their reply now.

Thanks for your help so far!

Thanks & Regards,

Bijayant Kumar

On Tue, Feb 26, 2013 at 5:47 PM, Edward Quick <edwardquick@xxxxxxxxxxx> wrote:

Is your certificate issued by an internal CA or someone like Verisign/Komodo etc?

I wonder if the Oracle DB connecting has the CA root certificate installed in their truststore. If they do, check the certificate chain for your site to make sure the intermediate is correctly set up.

---

Date: Tue, 26 Feb 2013 14:29:29 +0530

From: bijayant.mws@xxxxxxxxx
To: users@xxxxxxxxxxxxxxxx
Subject: Re: Certificate mismatch error

Hi Edward,

I just renewed the server certificate on the Apache webserver. Oracle DB is not in our scope, that was the message from client.

Thanks,

Bijayant Kumar

On Mon, Feb 25, 2013 at 7:31 PM, Edward Quick <edwardquick@xxxxxxxxxxx> wrote:

Could you clarify, when you say :

The Certificate was installed into a Wallet-Manager of the ORACLE-DB.

I need this Certificate for a communication between ORACLE-DB to the Webserver. 

Does that mean you are doing client certificate verification? 

Or are you just renewing the server certificate on your web server?

---

Date: Mon, 25 Feb 2013 18:34:21 +0530
From: bijayant.mws@xxxxxxxxx
To: users@xxxxxxxxxxxxxxxx
Subject: Re: Certificate mismatch error

Hi Edward,

Yes, the intermediate certs have been set up on the Apache server.

By any chance you know what else information can I ask from client to pin point their/DB problem?

Thanks & Regards,

Bijayant Kumar

On Sun, Feb 24, 2013 at 2:16 PM, Edward Quick <edwardquick@xxxxxxxxxxx> wrote:

Hi Bijayant,

You don't need another certificate if xyz.com is a subject alternate name of the primary certificate abc.com, so your understanding there is correct.

Is the intermediate certificate set up? 

Regards,

Edward.

---

Date: Sun, 24 Feb 2013 12:49:45 +0530
From: bijayant.mws@xxxxxxxxx
To: users@xxxxxxxxxxxxxxxx
Subject: Certificate mismatch error

Hello List,

I have an issue to connect SSL enabled site to Oracle database server. Let me explain you with an example here. 

My website name is abc.com and it has another name as well say xyz.com and that is listed in additional DNS name field of certificates. Primary name is abc.com only.

Now client is saying 

The Certificate was installed into a Wallet-Manager of the ORACLE-DB.

I need this Certificate for a communication between ORACLE-DB to the Webserver. When the ORACLE DB communicate with the the Webserve, the following error massage was created:

ORA-06512: at "SYS.UTL_HTTP", line 1029
ORA-29024: Certificate validation failure (-29273)
Now they are asking me to create a new certificate with the name xyz.com only. But as far as my knowledge goes, this should not create any issue as I have used both the name in my certificate and also I am not getting any error while browsing the website with either name.
Please correct me if I am wrong or any other pointer that will be helpful.



Thanks & Regards,
Bijayant Kumar