ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH error shown in browser after importing a new CA Signed Certificate in CA Performance Center (CAPC)

book

Article ID: 145645

calendar_today

Updated On:

Products

CA Infrastructure Management CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

Browser returns ERR_SSL_VERSION_OR_CIPHER_MISMATCH when attempting to login to CAPC after importing a new CA Signed Certificate

 

Cause

There are 2 possible causes for this:

  1. This error could be caused if the CA Signed Certificate was not imported over the top of the existing Self-Signed Certificate.
  2. The CA Signed Certificate was imported to a keystore that does not have Private Key info added on it (keystore). 

 

Environment

CAPC Release 3.7.x and later

Resolution

The resolution for possible cause 1 listed above is:

a. Make a copy of the jetty keystore:

cp /opt/CA/PerformanceCenter/jetty/etc/keystore /opt/CA/PerformanceCenter/jetty/etc/keystore.backup

b. Delete the Certificate entered in error:

/opt/CA/jre/bin/keytool -delete -keystore /opt/CA/PerformanceCenter/jetty/etc/keystore -alias incorrect_alias

c. Import the CA Signed Certificate again:

/opt/CA/jre/bin/keytool -import -keystore /opt/CA/PerformanceCenter/jetty/etc/keystore -alias capc -trustcacerts -file /path/to/ca/signed/cert.cer

d. Restart the SSO, DM and Console services:

systemctl stop caperfcenter_sso caperfcenter_devicemanager caperfcenter_console
systemctl start caperfcenter_sso caperfcenter_devicemanager; sleep 20; systemctl start caperfcenter_console

e. Close down any existing browser windows of your browser of choice and attempt to access the CAPC GUI once more.

 

The resolution for possible cause 2 listed above is:

a. Create a new keystore, now generating a new key-pair. i.e:

keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048

b- Generate the .csr file and send it to your CA (Certificate Authority), in order to get a new certificate file;

c- Backup the jetty keystore;

d- Import the new certificate file to the new keystore;

e- Update accordingly the both files below, providing the new keystore path and password information:

/opt/CA/PerformanceCenter/PC/start.d/ssl.ini
/opt/CA/PerformanceCenter/sso/start.d/ssl.ini

f- Restart CAPC services;

You can refer to the following article to get directions on how to execute the steps 2b, 2c, 2d and 2f above:

KB : How to update the Performance Center SSL/TLS certificate

Attachments