Otdfbt

Multiband vertical antenna not working as expected

What are the unintended or dangerous consequences of allowing spells that target and damage creatures to also target and damage objects?

Rail-to-rail op-amp only reaches 90% of VCC, works sometimes, not everytime

So a part of my house disappeared... But not because of a chunk resetting

Can there be absolute velocity?

Do empty drive bays need to be filled?

How can one's career as a reviewer be ended?

Why are ambiguous grammars bad?

ASCII Meme Arrow Generator

Remove border lines of SRTM tiles rendered as hillshade

Diatonic chords of a pentatonic vs blues scale?

noalign caused by multirow and colors

What do you call the action of "describing events as they happen" like sports anchors do?

Does the Nuka-Cola bottler actually generate nuka cola?

Can you make an identity from this product?

Does a (nice) centerless group always have a centerless profinite completion?

Most valuable information/technology for rebuilding after the apocalypse?

Is Dumbledore a human lie detector?

Should I refuse to be named as co-author of a low quality paper?

Why isn't Bash trap working if output is redirected to stdout?

How far would a landing Airbus A380 go until it stops with no brakes?

How and why do references in academic papers work?

Are the guests in Westworld forbidden to tell the hosts that they are robots?

How to get depth and other lengths of a font?

IBM Domino is trying to use old SSL certificate

Java CertificateException in Domino 9 when trying to access HTTPS URLConfigure Domino to use SMTP routing and hMailServerHow can I troubleshoot this SSL certificate error?Which SSL certificate to use for non-financial applicationJava CertificateException in Domino 9 when trying to access HTTPS URLHow to get around Unrecognized Certificate Authority signature on Domino 9.0.1 with Go Daddy SSL?IBM Domino - incoming e-mail loses formatting, no winmail.datIntegration of IBM Domino 9 into existing 6.5.4 setupHow to register Notes user with the Domino Web Administrator?IBM Notes asking for user id file during setupHow to enable SSL when sending email through Domino

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

1

We have IBM Domino / Notes server that needs to connect to another server in our organization via HTTPS. Few days ago we've changed certificate on that server and loaded new certificate to ibm server (into cacerts and into internet certificate list in ibm administrator).
Since that, we have the following errors:

1. Exception on HttpConnector.sendPostRequest with stack:

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: 5950
 at com.ibm.jsse2.o.a(o.java:8)
 ...
 at http.HttpConnector.send(Unknown Source)
 at http.HttpConnector.sendPostRequest(Unknown Source) 
Caused by: java.security.cert.CertificateException: 5950
 at com.ibm.domino.napi.ssl.DominoX509TrustManager.checkServerTrusted(DominoX509TrustManager.java:98)
 at com.ibm.jsse2.lb.a(lb.java:30)
 ... 19 more

2. Error in error-log-0.xml with text:

Certificate with subject [certificate info, see further] is not trusted. Validation failed with error 5950.

But, the certificate info is about the old certificate - the one that is not used anymore.

So, somehow Domino thinks that it needs to use the old certificate, not the new one. But, when I open the corresponding URL on Domino server via browser, it shows the new certificate.

What problem can it be and how to fix it? Thanks.

ssl-certificate ibm-domino

share|improve this question

asked May 27 at 8:06

Ilya SkabaIlya Skaba

62

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Could you provide more information please? Check the hierarchy of both certificates, you need the key, the cert AND the chain (issuers) of both of them correctly configured. The error points that with the "trusted" word.
  
  – Carlos Garcia
  May 27 at 8:26
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @CarlosGarcia I've added all the chain (certificate, issuers, CA) to cacerts and into internet certificates in IBM Administrator. Also I did cross-certified certificate. The error looks the same as here :serverfault.com/questions/505273/… . I did everything like in the answer, but still the problem is here. It's also strange that it keeps telling about the old certificate, even if i'm using the new one everywhere
  
  – Ilya Skaba
  May 27 at 8:39
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Here is certificate chain that server uses :sslshopper.com/ssl-checker.html#hostname=priem.tusur.ru/api/… I've installed these certificates in cacerts and into internet certificates
  
  – Ilya Skaba
  May 27 at 8:44
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Don't know Domino at all, but what you definitely should not do is to add all chain to cacerts. cacerts is for the root certificates ONLY.
  
  – Sergey Nudnov
  May 27 at 15:54
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Ok, the actual reason of error was in Diffie-Hellman parameter for DHE ciphersuites, (dhparam.pem), which was 4906 bytes long)
  
  – Ilya Skaba
  May 31 at 9:27
  

  
  
  
  

add a comment | 

1

We have IBM Domino / Notes server that needs to connect to another server in our organization via HTTPS. Few days ago we've changed certificate on that server and loaded new certificate to ibm server (into cacerts and into internet certificate list in ibm administrator).
Since that, we have the following errors:

1. Exception on HttpConnector.sendPostRequest with stack:

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: 5950
 at com.ibm.jsse2.o.a(o.java:8)
 ...
 at http.HttpConnector.send(Unknown Source)
 at http.HttpConnector.sendPostRequest(Unknown Source) 
Caused by: java.security.cert.CertificateException: 5950
 at com.ibm.domino.napi.ssl.DominoX509TrustManager.checkServerTrusted(DominoX509TrustManager.java:98)
 at com.ibm.jsse2.lb.a(lb.java:30)
 ... 19 more

2. Error in error-log-0.xml with text:

Certificate with subject [certificate info, see further] is not trusted. Validation failed with error 5950.

But, the certificate info is about the old certificate - the one that is not used anymore.

So, somehow Domino thinks that it needs to use the old certificate, not the new one. But, when I open the corresponding URL on Domino server via browser, it shows the new certificate.

What problem can it be and how to fix it? Thanks.

ssl-certificate ibm-domino

share|improve this question

asked May 27 at 8:06

Ilya SkabaIlya Skaba

62

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Could you provide more information please? Check the hierarchy of both certificates, you need the key, the cert AND the chain (issuers) of both of them correctly configured. The error points that with the "trusted" word.
  
  – Carlos Garcia
  May 27 at 8:26
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @CarlosGarcia I've added all the chain (certificate, issuers, CA) to cacerts and into internet certificates in IBM Administrator. Also I did cross-certified certificate. The error looks the same as here :serverfault.com/questions/505273/… . I did everything like in the answer, but still the problem is here. It's also strange that it keeps telling about the old certificate, even if i'm using the new one everywhere
  
  – Ilya Skaba
  May 27 at 8:39
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Here is certificate chain that server uses :sslshopper.com/ssl-checker.html#hostname=priem.tusur.ru/api/… I've installed these certificates in cacerts and into internet certificates
  
  – Ilya Skaba
  May 27 at 8:44
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Don't know Domino at all, but what you definitely should not do is to add all chain to cacerts. cacerts is for the root certificates ONLY.
  
  – Sergey Nudnov
  May 27 at 15:54
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Ok, the actual reason of error was in Diffie-Hellman parameter for DHE ciphersuites, (dhparam.pem), which was 4906 bytes long)
  
  – Ilya Skaba
  May 31 at 9:27
  

  
  
  
  

add a comment | 

We have IBM Domino / Notes server that needs to connect to another server in our organization via HTTPS. Few days ago we've changed certificate on that server and loaded new certificate to ibm server (into cacerts and into internet certificate list in ibm administrator).
Since that, we have the following errors:

1. Exception on HttpConnector.sendPostRequest with stack:

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: 5950
 at com.ibm.jsse2.o.a(o.java:8)
 ...
 at http.HttpConnector.send(Unknown Source)
 at http.HttpConnector.sendPostRequest(Unknown Source) 
Caused by: java.security.cert.CertificateException: 5950
 at com.ibm.domino.napi.ssl.DominoX509TrustManager.checkServerTrusted(DominoX509TrustManager.java:98)
 at com.ibm.jsse2.lb.a(lb.java:30)
 ... 19 more

2. Error in error-log-0.xml with text:

Certificate with subject [certificate info, see further] is not trusted. Validation failed with error 5950.

But, the certificate info is about the old certificate - the one that is not used anymore.

So, somehow Domino thinks that it needs to use the old certificate, not the new one. But, when I open the corresponding URL on Domino server via browser, it shows the new certificate.

What problem can it be and how to fix it? Thanks.

ssl-certificate ibm-domino

share|improve this question

asked May 27 at 8:06

Ilya SkabaIlya Skaba

62

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: 5950
 at com.ibm.jsse2.o.a(o.java:8)
 ...
 at http.HttpConnector.send(Unknown Source)
 at http.HttpConnector.sendPostRequest(Unknown Source) 
Caused by: java.security.cert.CertificateException: 5950
 at com.ibm.domino.napi.ssl.DominoX509TrustManager.checkServerTrusted(DominoX509TrustManager.java:98)
 at com.ibm.jsse2.lb.a(lb.java:30)
 ... 19 more

Certificate with subject [certificate info, see further] is not trusted. Validation failed with error 5950.

share|improve this question

asked May 27 at 8:06

Ilya SkabaIlya Skaba

62

share|improve this question

asked May 27 at 8:06

Ilya SkabaIlya Skaba

62

asked May 27 at 8:06

Ilya SkabaIlya Skaba

62

asked May 27 at 8:06

Ilya SkabaIlya Skaba

62