SSL3_GET_SERVER_CERTIFICATE error when running tasks with HTTPS or WebService consumer transformation in the PowerCenter mapping.

Version 1

    Are you getting certificate verification errors when running tasks on Informatica Cloud which have https or WebService Consumer transformation in the PowerCenter mapping ?

    The errors would be like:

    “[ERROR] HTTP Invoker encountered an error while invoking the HTTP. Reason: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed”

     

    This error is being caused because the connection to the webservice URL does not include the certificate data that is needed to authenticate the connection from the certificate provider’s end. The certificate bundle does not contain a certificate from a Certificate Authority that the Webservice Provider uses.

    The resolution to this issue is to get the particular client certificate PEM data and append it to the Informatica Secure Agent certificate bundle.

    Please reach out to the webservice provider to get the certificates

     

    The certificates can also be grabbed using Internet Explorer or openssl.

    A.  Using Internet Explorer:

     

    1. Go to the Web Service provider/http transformation URL using HTTPS.

    2. Click the padlock icon in the status bar of Internet Explorer (Security Report) and click on "View certificates".

    3. In the Certificate dialog box, click 'Certification Path'.

    4.Check how many certificates show up and select the first one.

    5.Click on "View Certificate" and in the new dialog box click on "Details" and select 'All'

    6. Next Click on "Copy to File".

    7. This opens the "Certificate Export Wizard", click on "Next".

    8. Select 2nd option "Base-64 encoded X.509 (.CER) (base 64 encoded is PEM Data of the certificate)

    9. Click Next and provide path for the certificate export.

    10. Click finish and locate certificate

     

    Screenshots are below:

     

     

    On the new Dialog Box, Select "Details" Tab and ensure "All" is showing:

     

     

     

     

    After the first certficate is exported, you would find 'certificate.cer' file in the "C:\" (as specified)

     

    Append the PEM certificate file to the certificate bundle,  ca-bundle.crt . Edit the ca-bundle.crt file in any text editor such as  notepad, and add the certificate contents along with the label PEM  Data:

    The ca-bundle.crt file is located in {Agent_Dir}\main\bin\rdtm

     

    Note

    The label PEM Data: must be  included for every certificate that you append. Check the existing  ca-bundle.crt file for the format.

    Example

    PEM Data: 
    -----BEGIN CERTIFICATE-----
    MIID+DCCAuCgAwIBAgIRANAeQ
    -----END  CERTIFICATE-----

     

     

    Web Services with a Chain of Certificates

     

    If the secure Web Service contains a chain  of trusted certificates, then it is necessary to add each certificate in the  chain to the trusted certificates file up to the ROOT.

    For Example:

    The above steps also need to be performed for the 2nd Certificate 'Thwate SGC CA' as seen in the first screenshot.

     

    Sometimes IE might not give the certificate prompt even when accessing a HTTPS URL. In those cases, we can try to use openssl to extract the certificates.

    B. Using openssl:

     

    1. Install openssl from "http://gnuwin32.sourceforge.net/packages/openssl.htm"

    2. After installation run the command

    openssl s_client -connect webserviceurl:port>C:\cert.txt

    like :
    openssl s_client -connect app.informaticaondemand:443>cert.txt

     

    3. This will create the cert.txt file in "C:\." Copy the PEM Data from the txt file and add to the 'ca-bundle.crt' file inthe agent directory. (

    {Agent_Dir}\main\bin\rdtm)

     

    Run the tasks after adding the certificates and see if the issue persists.

     

    Please let us know if the issue continues after the above steps.

     

    Hi,

     

    After following these steps, I get an error saying :

     

    Message Code: PCHTTP_33016

    Message: [ERROR] HTTP Invoker encountered an error while invoking the HTTP. Reason: SSL: certificate subject name '*abcdef.renters-choice-inc.com' does not match target host name '12.34.56.78'

     

    Could you please let me know what may be causing this issue?

     

    Thanks,

    Neha

     

    Abhijit,

     

    Is it necessary to provide a label before each PEM Data: section in the ca-bundle.crt file? How does Informatica know which certificate to choose when visiting an https site?

     

    I'm getting the following error when running my WF. I am using a web service consumer application connection which contains the user/password.

    Message: [ERROR] Web Service invoker encountered an error while invoking the Web Service. Reason: HTTP/1.1 401 Unauthorized

     

    Any help would greatly be appreciated,

    John

     

    Hi John,

     

    No, it is not necessary to provide a label. You can choose to do so for keeping a track of certificates added. The certificate bundle is include in the request and if the certificate needed is present, SSL handshake is completed.

     

    The error you are seeing is an authentication error. It looks like the WS is expecting username and password and the credentials being used does not have access to the WS. Please have a check on the the credentials using SOAP UI.

     

    Thanks,

    Abhijit

     

    Hi Neha,

     

    Please refer this KB article for the error:

    https://kb.informatica.com/solution/23/Pages/54/338103.aspx

     

    Thanks,

    Abhijit

     

    I'm getting the same error "HTTP Invoker encountered an error while invoking the HTTP. Reason: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" even after updating the ca-bundle.crt file with the required certificate. I am start getting error in HTTP transformation once the service started using SHA2 (Previously it was SHA). I was able to verify the bundle file with curl in command line of linux

    curl --cacert ca-bundle.crt <<host name>>

    But somehow Informatica is not validating the certificate. Any suggestion will be appreciated.

    Thanks!

     

    Hello All,

     

    I am facing a similar error when I try to access a simple HTTP-based API through PowerCenter's HTTP Transformation. Below is the error I get -

     

    Severity: ERROR

    Timestamp: 2/1/2018 1:12:20 PM

    Node: node02_az18u1120

    Thread: TRANSF_1_1_1

    Process ID: 93068

    Message Code: PCHTTP_33016

    Message: [ERROR] HTTP Invoker encountered an error while invoking the HTTP. Reason: Failed to connect to s3-sandbox.parature.com port 443: Connection timed out

     

    I am trying to call a third party web service through HTTP tranformation. Please note - I have got 3 certificates from Parature installed on our Informatica server, but still this error persists. Can anyone help me with this error please?

     

    I am using Informatica PowerCenter 10.1.1

     

    Regards,

    Akash

     

    This document was generated from the following discussion: SSL3_GET_SERVER_CERTIFICATE error when running tasks with HTTPS or WebService consumer transformation in the PowerCenter mapping.