SAP Knowledge Base Article - Preview

3452023 - Cloud to on-premise connection to ABAP backend system or SAP Web-dispatcher fails due to certificate_unknown.

Symptom

  • Cloud to on-premises connection to ABAP backend system or SAP Web-dispatcher fails due to certificate_unknown.
  • Further in the ljs_trace.log (<2.17)/scc_core.trc (>=2.17): -
     #ERROR#com.sap.core.connectivity.tunnel.core.impl.processing.channel.AbstractChannel.ChannelWriteFutureListener#tunnel-client-53-3#0x268f8a75#Write operation FAILED for payload message packet with size 0 for [id: 0xb2713b92, L:/xx.xx.xx.xx:21036 - R:<hostname of ABAP backend/WDP>/xx.xx.xx.xx:44300]. Cause: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown. Tunnel id: account:///....

2024-04-02 06:03:59,938 +0000#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpResponseStateHandler#tunnel-client-53-3#0x268f8a75#Http error occurred, switching state to FAILING
2024-04-02 06:03:59,938 +0000#DEBUG#com.sap.core.connectivity.protocol.http.handlers.HttpRequestStateHandler#tunnel-client-53-3#0x268f8a75#Http error occurred, switching state to STARTING
2024-04-02 06:03:59,938 +0000#DEBUG#com.sap.core.connectivity.spi.processing.OutboundConnectionErrorHandler#tunnel-client-53-3#0x268f8a75#Protocol processing error:
com.sap.core.connectivity.protocol.http.handlers.HttpProtocolException: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
    at com.sap.core.connectivity.protocol.http.handlers.HttpProtocolClientCodec.exceptionCaught(HttpProtocolClientCodec.java:83)
    at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:346)
    at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:325)
    at io.netty.channel.AbstractChannelHandlerContext.fireExceptionCaught(AbstractChannelHandlerContext.java:317)
    at io.netty.channel.CombinedChannelDuplexHandler$DelegatingChannelHandlerContext.fireExceptionCaught(CombinedChannelDuplexHandler.java:424)
    at io.netty.channel.ChannelHandlerAdapter.exceptionCaught(ChannelHandlerAdapter.java:92)
    at io.netty.channel.CombinedChannelDuplexHandler$1.fireExceptionCaught(CombinedChannelDuplexHandler.java:145)
    at io.netty.channel.ChannelInboundHandlerAdapter.exceptionCaught(ChannelInboundHandlerAdapter.java:143)
    at io.netty.channel.CombinedChannelDuplexHandler.exceptionCaught(CombinedChannelDuplexHandler.java:231)
    at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:346)
    at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:325)
    at io.netty.channel.AbstractChannelHandlerContext.fireExceptionCaught(AbstractChannelHandlerContext.java:317)
    at io.netty.channel.ChannelInboundHandlerAdapter.exceptionCaught(ChannelInboundHandlerAdapter.java:143)
    at com.sap.core.connectivity.spi.upgrade.UpgradeChannelHandler$FlowControlHandler.exceptionCaught(UpgradeChannelHandler.java:476)
    at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:346)
    at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:325)
    at io.netty.channel.AbstractChannelHandlerContext.fireExceptionCaught(AbstractChannelHandlerContext.java:317)
    at io.netty.handler.ssl.SslHandler.exceptionCaught(SslHandler.java:1115)
    at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:346)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:447)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
    at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
    at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
    at java.lang.Thread.run(Thread.java:838)
Caused by: io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:499)
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
    ... 15 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
    at sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at sun.security.ssl.Alert.createSSLException(Alert.java:117)
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:364)
    at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
    at sun.security.ssl.TransportContext.dispatch(TransportContext.java:203)
    at sun.security.ssl.SSLTransport.decode(SSLTransport.java:155)
    at sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:597)
    at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:552)
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:418)
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:397)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:626)
    at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:297)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1353)
    at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1246)
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1295)
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
    ... 17 common frames omitted


Read more...

Environment

  • SAP Cloud Connector release independent.

Keywords

CC, SCC, scc, Cloud connector, https, connection, certificate_unknown, client authentication, system certifcate, strust, cc, scc, cloud connector, principal propagation, Subject DN, Issuer, SAN, Subject Alternative Names, no trust, logon, Reject untrusted forwarded certificate, icm/server_port*, Unauthorized, HttpCertIsReverseProxyTrustworthy, intermediary is NOT trusted, trusted_reverse_proxy,  , KBA , BC-MID-SCC , SAP Cloud Connector On-Demand/On-Premise Connectivity , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.