3241147 - "Service not available" due to missing SSL trust

When trying to access a system through an SAP Web Dispatcher, a "service not available" message is returned.

If the system is hosted on SAP HEC environment, the message can also be similar to the following:

Our service is not available at the moment. Please try again later.
We apologize for the trouble caused.

The dev_webdisp trace file has the following entries written repeatedly:

(...)
[Thr 139626725730048] *** WARNING => Failed to read group info for system [SID of backend system] (ABAP,HTTPS): Connection request to partner failed(-20) [icrxx.c      3745]
[Thr 139626725730048]   SSL_get_state()==0x2131 "TLS read server certificate B"
[Thr 139626725730048] *** ERROR during secussl_read() from SSL_read()==SSL_ERROR_SSL
[Thr 139626725730048]   cli SSL session PSE "/usr/sap/[SID of Web Disp.]/[Web Disp. Instance name]/sec/SAPSSLC.pse"
[Thr 139626725730048]   session ciphersuites=150:PFS:HIGH::EC_P256:EC_HIGH
[Thr 139626725730048]   Client SSL_CTX 7efd5c08a130 pvflags=896 (TLSv1.2,TLSv1.1,TLSv1.0)
[Thr 139626725730048]   TLSextSNI server_name="[hostname of backend system]"
[Thr 139626725730048] secussl_read: SSL_read() failed  (536872221/0x2000051d)
[Thr 139626725730048]    => "Failed to verify peer certificate. Peer not trusted."
(...)

When accessing the Web Dispatcher Web Admin UI, the application servers of the backend have a red triangle with the message "server is not reachable: SSSLERR_CLIENT_CERT_UNTRUSTED":

The message can also be "Server is not reachable: SSL peer certificate untrusted".

• SAP NetWeaver
• ABAP Platform
• SAP Web Dispatcher

503, 503 Service not available , KBA , BC-CST-WDP , Web Dispatcher , BC-CST , Client/Server Technology , BC-SEC-SSL , Secure Sockets Layer Protocol , XX-HST-OPR , Technical Operations , Problem