SAP Knowledge Base Article - Preview

3718672 - SSSLERR_PEER_CERT_UNTRUSTED error in the Dispatcher trace file

Symptom

At least one ABAP instance of the system does not start completely.

The Dispatcher trace file (dev_disp) of the affected instance logs the following error entries:

(...)
=================================================
= SSL Initialization    platform tag=(linuxx86_64_gcc43)
=   (754_STACK patchno 600,Jul  9 2025,mt,ascii-uc, 16/64/64)
= Initialization with _no_ default credentials
=       resulting Filename = "/usr/sap/[SID]/Dxx/exe/libsapcrypto.so"
=   disabled FIPS 140-2 crypto kernel 
=   found CommonCryptoLib 8.5.59 (Dec 13 2024) [AES-NI,CLMUL,SSE3,SSSE3]
=   current UserID: "sidadm",  env-var USER="sidadm"
=   found SECUDIR environment variable
=   using SECUDIR=/usr/sap/[SID]/Dxx/sec
= [dpf] ssl/client_sni_enabled=TRUE
= [dpf] ssl/ciphersuites=135:PFS:HIGH::EC_P256:EC_HIGH
=   creating Envvar SAPSSL_CIPHERSUITES=135:PFS:HIGH::EC_P256:EC_HIGH
= [dpf] ssl/client_ciphersuites=150:PFS:HIGH::EC_P256:EC_HIGH
= Success -- SapCryptoLib SSL ready!
=================================================

SsfPkiInitSAPCryptolib: SsfSupInitEx("/usr/sap/[SID]/Dxx/exe/libsapcrypto.so")==0 (SSF_SUP_OK)
    found CommonCryptoLib 8.5.59 (Dec 13 2024) [AES-NI,CLMUL,SSE3,SSSE3]
ssfAuxGetInstancePSE: using envvar SECUDIR = /usr/sap/[SID]/Dxx/sec
SsfPkiGetInstancePSE: Instance PSE #_MemPSE_#817717830585885600000001 (cached in /usr/sap/[SID]/Dxx/sec/sap_system_pki_instance.pse)
secure communication to message server is switched on
=   Client SSL_CTX 5617735266e0 pvflags=896 (TLSv1.2,TLSv1.1,TLSv1.0)
=   Client ciphersuites=150:PFS:HIGH::EC_P256:EC_HIGH

Fri Feb 20 14:14:07:748 2026
  SSL_get_state()==0x2131 "TLS read server certificate B"
*** ERROR in secussl_read: SSL_read() lasterr 0x2000051d
  => "Failed to verify peer certificate. Peer not trusted."
  cli SSL session PSE "#_MemPSE_#817717830585885600000001" (load=Fri Feb 20 14:14:07 2026, rcnt=0)
  SSL_CTX ciphersuites=150:PFS:HIGH::EC_P256:EC_HIGH
  Client SSL_CTX 5617735266e0 pvflags=896 (TLSv1.2,TLSv1.1,TLSv1.0)
  server-selected SSL/TLS-version=TLSv1.2, ciphersuite=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256{c0,2f}
  TLSextSNI server_name="dummy-cn"
  (754_STACK patchno 600,linuxx86_64_gcc43) CommonCryptoLib 8.5.59 (/usr/sap/[SID]/Dxx/exe/libsapcrypto.so)
secussl_read: SSL_read() failed  (536872221/0x2000051d)
   => "Failed to verify peer certificate. Peer not trusted."
>> ===== SecuSSL ErrStack: =====
Peer not trusted
----- BEGIN VERIFICATION RESULT -----
 # --- Messages -----------
 ERROR: Signature error. Issuer Cert: [2B:DF:E6:B1] CN=root_SID, OU=sapstartsrv, O=SAP System PKI, C=DE. Cert: [46:1D:04:1C] CN=[SAP instance name], O=SAP System PKI, C=DE.
 # --- Summary -----------
 #01 Certificate (End Entity): VALID
  Subject:                      CN=[SAP instance name], O=SAP System PKI, C=DE
  Issuer:                       CN=root_SID, OU=sapstartsrv, O=SAP System PKI, C=DE
  Fingerprint (SHA256):         46:1D:04:1C:18:98:E9:EB:98:4D:36:4D:0C:45:C4:4B:25:FA:5B:39:9E:BE:24:E0:EA:36:87:99:13:0A:FC:EC
  Validity:                     Wed Mar 16 18:25:03 2022 / Fri Jan  1 02:00:01 2038
  PKI validation:               FAILED: Validation of dependents - Issuer Certificate (ERROR: Issuer - Bad Signature)
 #02 Certificate (Issuer):     VALID
  Subject:                      CN=root_SID, OU=sapstartsrv, O=SAP System PKI, C=DE
  Issuer:                       CN=root_SID, OU=sapstartsrv, O=SAP System PKI, C=DE
  Fingerprint (SHA256):         2B:DF:E6:B1:6A:8A:DB:44:E9:D9:91:4B:3B:67:E5:27:B5:25:67:00:69:07:E9:FF:CB:98:C8:3D:7E:90:39:0B
  Validity:                     Wed Feb 18 19:44:53 2026 / Fri Jan  1 00:00:01 2038
  PKI validation:               Succeeded
----- END VERIFICATION RESULT -----
<< =============================
  Target Hostname="dummy-CN"
  SSL SI-sock: local=10.90.2.30:51512  peer=172.27.75.176:3900
<<- ERROR: SapSSLSessionStartNB(sssl_hdl=561773529a70)==SSSLERR_PEER_CERT_UNTRUSTED
*** ERROR => NiISSLStartOnClientConn: SapSSLSessionStartNB failed (-102, SSSLERR_PEER_CERT_UNTRUSTED) [nixxi.cpp    10976]
*** ERROR => MsIAttachEx: NiBufSSLStartOnClientConn failed (NIESSL_ERROR) [msxxi.c      1592]
*** WARNING => Cannot connect to message server due to an error in the SSL layer. Check your SSL configuration. [dpMessageSer 1905]
*** WARNING => DpMsAttach: failed to attach to Message Server (rc=-43) [dpMessageSer 1926]
***LOG Q0L=> DpLoopInit, nomscon () [dpInit.c     4099]
*** ERROR => DpTriggerMsAttach: Attach to Message Server failed [dpInit.c     4100]
(...)


Read more...

Environment

  • SAP NetWeaver ABAP based system
  • ABAP Platform based system
  • Secure Internal Server Communication is active ("system/secure_communication = ON")

Product

ABAP platform all versions ; SAP NetWeaver all versions

Keywords

SSSLERR_PEER_CERT_UNTRUSTED, system/secure_communication, Peer not trusted , KBA , BC-CST-STS , Startup Service , BC-CST , Client/Server Technology , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.