1

I have a webserver that is secured using an SSL cert from godaddy. The certificate seems to be working fine for about 30 clients, but one client cannot connect and I cannot for the life of me figure out why.

Here's the error in the windows event logs. I am using windows 2008 server R2:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" /> 
<EventID>36887</EventID> 
<Version>0</Version> 
<Level>2</Level> 
<Task>0</Task> 
<Opcode>0</Opcode> 
<Keywords>0x8000000000000000</Keywords> 
<TimeCreated SystemTime="2016-01-07T18:14:25.883747000Z" /> 
<EventRecordID>380823</EventRecordID> 
<Correlation /> 
<Execution ProcessID="612" ThreadID="712" /> 
<Channel>System</Channel> 
<Computer>nfswebservice</Computer> 
<Security UserID="S-1-5-18" /> 
</System>
<EventData>
<Data Name="AlertDesc">46</Data> 
</EventData>
</Event>

I have looked this up and found that the alert 46 = "TLS1_ALERT_CERTIFICATE_UNKNOWN", which seems to be a generic error stating only that "something" is wrong with the certificate.

The thing is though that the certificate seems to be working fine for everyone else except this one client. The client involved is using ColdFusion 10 with Java 7 to try to talk to the server and they are the only ones getting an error.

What's even more confusing is that up until the server was restarted a few days ago, this 1 client was working fine. So I know the server restart was the trigger but I can't find what's wrong.

Can someone point me in the right direction? I need to figure out more details about the error and I have no experience in tracing these kinds of issues. Is there another log somewhere that I should be looking at?

elevenUser
  • 13
  • 1
  • 1
  • 3

1 Answers1

1

Ask the ColdFusion client to do a dump of an cfhttp request to your server.

Ask them to screenshot that dump and post here if possible.

I am guessing that the client (Java 7) may have a certificate store/chain issue with your certificate. Just a guess, but the dump should provide some clarity.

In any case they should review the key store for proper CA root/chain to confirm they have the proper certs on their end.

Rodrigo Murillo
  • 450
  • 3
  • 10
  • 1
    Thank you for the help! I did have them do a cold fusion dump. Eventually we did find the issue and the problem and it was a trust chain issue. The Java 7 client that was in use was installed at least 6 years ago now and the trust store didn't include one of GoDaddy's CA servers (G2 if anyone is interested) The fix was to simply have them add the godaddy certificates to the trust store. – elevenUser Jan 29 '16 at 17:36