ERR_SSL_VERSION_OR_CIPHER_MISMATCH error shown in browser after importing a new CA Signed Certificate in NetOps Portal
search cancel

ERR_SSL_VERSION_OR_CIPHER_MISMATCH error shown in browser after importing a new CA Signed Certificate in NetOps Portal

book

Article ID: 145645

calendar_today

Updated On:

Products

CA Infrastructure Management CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

Browser returns ERR_SSL_VERSION_OR_CIPHER_MISMATCH when attempting to login to the NetOps Portal after importing a new CA Signed Certificate

Environment

PM Release 3.7.x and later

Cause

There are 2 possible causes for this:

  1. This error could be caused if the CA Signed Certificate was not imported over the top of the existing Self-Signed Certificate.
  2. The CA Signed Certificate was imported to a keystore that does not have Private Key info added on it (keystore). 

 

Resolution

The resolution for possible cause 1 listed above is:

a. Make a copy of the jetty keystore:

cp /opt/CA/PerformanceCenter/jetty/etc/keystore /opt/CA/PerformanceCenter/jetty/etc/keystore.backup

b. Delete the Certificate entered in error:

/opt/CA/jre/bin/keytool -delete -keystore /opt/CA/PerformanceCenter/jetty/etc/keystore -alias incorrect_alias

c. Import the CA Signed Certificate again:

/opt/CA/jre/bin/keytool -import -keystore /opt/CA/PerformanceCenter/jetty/etc/keystore -alias capm -trustcacerts -file /path/to/ca/signed/cert.cer

d. Restart the SSO, DM and Console services:

systemctl stop caperfcenter_sso caperfcenter_devicemanager caperfcenter_console
systemctl start caperfcenter_sso caperfcenter_devicemanager; sleep 20; systemctl start caperfcenter_console

e. Close down any existing browser windows of your browser of choice and attempt to access the NetOps Portal GUI once more.

 

The resolution for possible cause 2 listed above is:

a. Create a new keystore, now generating a new key-pair. i.e:

keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048

b- Generate the .csr file and send it to your CA (Certificate Authority), in order to get a new certificate file;

c- Backup the jetty keystore;

d- Import the new certificate file to the new keystore;

e- Update accordingly the both files below, providing the new keystore path and password information:

/opt/CA/PerformanceCenter/PC/start.d/ssl.ini
/opt/CA/PerformanceCenter/sso/start.d/ssl.ini

f- Restart NetOps Portal services;

You can refer to the following article to get directions on how to execute the steps 2b, 2c, 2d and 2f above:

How to Update The NetOps Portal SSL/TLS certificate

https://knowledge.broadcom.com/external/article/37756