The remote certificate is not valid according to the validation procedure

[Sam]

Hello everybody,

I suddently have a problem with one of my Plastic SCM client on Windows.

Everything worked well, but since last week I can't connect to my Plastic server anymore. Nothing changes in server config nor in my client config, but now I've got this message "The remote certificate is not valid according to the validation procedure" (see attached picture).

The server has an attached domain with a valid, not expirated, certificate. But, as my client is on the same network as the server and as my box can't do loopback (domain name pointing to itself) I have an entry in my client host file to redirect domain name to local server IP address. This worked for more than 3 years without problem.

The only thing that happened last week is that I used my PC out of office, so I removed the redirect line in my client host file in order to do my commit through "real" internet. This also worked properly. But a few hours later when I restarted Plastic from my office again (with local host redirection), it began to display the error message. Server and clients were in version 7.0.16.2604, I updated my Windows client to 8.0.16.3068 but the problem did not disappear.

Two other clients (on Mac) don't suffer from the problem and continu to reach the server without problem, locally or through internet.

So my question is : is there a kind of certificate cache on Windows client ? ... Perhaps wrong data was cached when I came back to my office. I tried to clear windows ssl state in "internet options" but it had no effect.

Any idea ?

[Sam]

Hello,

Sorry to be a little bit insistant, but I really need a solution. My small company is really impacted by this problem as we can't commit/checkout on one of our most used computer.

Thanks a lot for help

[calbzam]

Hi Sam, If you are a customer, please always reach us at support@codicesoftware.com for a faster answer.

There shouldn't be cached information in the GUI client after restarting it.

If you drive to preferences, are you able to "check connection" with no issues? Are you configuring your client entering the server name (or IP)?

Could you send to our support email your client log? C:\Users\<user>\AppData\Local\plastic4\logs\plastic,debug.log.txt

If you re-enter the line in your client host file, doesn't it help?

Regards,

Carlos.

 

[Sam]

Thanks for the precisions, perhaps this could help someone else on this forum.

The "check connection" produces the same error message. I connect to my server with the domain name as I always did : ssl://dyn.my-sample-domain.com:8088

I will make another test out of my office (without the line in host file). At the moment the line is present, and ... the problem too !

I'll keep you in touch with the result of test. And, if there is no good news, I'll send the log file to support.

Sincerly

Samuel T.

[Sam]

I confirm that the problem is also present out of office, directly without the host redirection.

I will send a message to the support

I'll keep you in touch

 

[Sam]

We finally found the problem : the issuer of our certificate does not exists anymore, and its own certificate (that certify it was a trusted CA) was no more valid.

I use the command :

openssl s_client -connect dyn.my-sample-domain.com :8088 -showcerts 

That resulted on :

verify error:num=20:unable to get local issuer certificate

So we just regenerated a new certificate from another CA ( https://www.sslforfree.com/ that uses Let's Encrypt) and the problem was solved

A huge thanks to Carlos from Plastic SCM support team, who gave me the keys to locate and solve this (not-Plastic) issue.

[calbzam]

Thanks for the update!

[tucny]

Same issue here. Our cert is issued by a local CA (AD CS). So far it worked but stopped now. The CA's cert is valid and published to all machines via AD. OpenSSL show the following validation errors:

depth=0 /CN=kara.corp.boldbrick.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=kara.corp.boldbrick.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /CN=kara.corp.boldbrick.com
verify error:num=21:unable to verify the first certificate
verify return:1

 

[calbzam]

Hi,

If the certificate is not valid/cannot be verified, could you generate a new certificate from another CA? (The Plastic SCM installation also includes a self-signed SSL certificate).

Regards,

Carlos.

[Sam]

10 hours ago, tucny said:

depth=0 /CN=kara.corp.boldbrick.com verify error:num=20:unable to get local issuer certificate

Your certificate is valid, but your issuer's is not, perhaps your issuer stopped its services like our did 3 months ago.

[tucny]

36 minutes ago, Sam said:

Your certificate is valid, but your issuer's is not, perhaps your issuer stopped its services like our did 3 months ago.

Well my issuer is my local custom certification authority (Active Directory CA) which is up and running and its certificate is valid till the year 2108.

[tucny]

On 7/9/2019 at 11:11 AM, tucny said:

Well my issuer is my local custom certification authority (Active Directory CA) which is up and running and its certificate is valid till the year 2108.

In my case, it turned out the certificate was expired. It would be nice if Plastic server reported this somehow, at least in its log file.