Signiant Support

Getting "bad_certificate" or "CRL not yet valid" errors Print


Problem

Running 'dds_cnctst' from the manager to the agent results in an error similar to the following:
  • 50038 Server 'your.agent.name' certificate rejected: CRL is not yet valid
  • 50035 Secure sockets layer (SSL) handshake failure with 'your.agent.name' on the process control client: certificate verify failed
Plus any of the following:
When attempting to manage an agent from the Signiant Administration Interface, the following error appears:
  • Some agent properties are not available for editing. CA certificate verification failed: Received fatal alert: bad_certificate
When attempting to monitor an agent from the Signiant Administration Interface, the following error appears:  
  • CA certificate verification failed: Received fatal alert: bad_certificate

Resolution

Note: This article does not apply if the dds_cnctst program fails for reasons other than that indicated in the Symptoms above. The resolution is different if it is not the Manager Agent. See towards the bottom for Agent steps

Your Certificate Revocation List (CRL) is not yet valid.  This can happen if the system time on your manager was advanced and a new revocation list was generated.  You will need to generate a new CRL and distribute this to the affected agents.
   
To resolve the problem, using a root or administrator level account, log onto the manager at the console, remote desktop, ssh or other remote method.  On the command line, navigate to the base Signiant directory.  By default this will be /usr/signiant/dds/ for Linux managers or C:\Program Files\Signiant\Mobilize\ for Windows managers.

If the manager's agent is one that is experiencing the problem, you will first need to remove the existing CRL. Change to the /security/crl directory (under the base Signiant directory) and move the existing Signiant_crl.pem file to another location. 

Navigate to the 'bin' directory (under the base Signiant directory) and run the 'dds_ca_admin' command.  Provide your CA Administrator passphrase when prompted.  From the dds_ca_admin program, issue the 'gencrl' command.  You will receive the message ' A new CRL has been successfully generated.'  Use 'quit' to exit the dds_ca_admin command.

For agents experiencing the problem, delete or move the existing Signiant_crl.pem file from the security/crl directory under the base Signiant directory.  Restart the agent process on the agent.  Shortly after startup, the agent will request a new CRL from the manager.

If you wish to manually replace the agents' CRLs, navigate to the 'security/ddsCA/crl' directory on the manager (under the base Signiant directory).  Copy the ddsCA_crl.pem file to a location easily accessible by the agents. On the agents, copy this file to the security/crl directory (under the base Signiant directory) and rename the file to Signiant_CRL.pem.

Applies To

Software versions this article applies to all versions.