Troubleshooting Certificate Errors¶
Error messages may be caused by different issues
Error messages in this topic might be caused by issues other than certificate errors.
If you have enabled agent or broker certificate validation, then you must:
- Install properly constructed, CA-signed certificate files to the agents and/or the broker.
- Import the appropriate CA-signed certificate into the keystore the PCoIP Connection Manager uses.
If the PCoIP Connection Manager receives an invalid certificate or is unable to establish trust of the certificate, users get one of the following error messages:
| Error Message | Possible Cause |
|---|---|
| Connection to the broker lost | Occurs on connection to the PCoIP Connection Manager when the PCoIP Connection Manager cannot validate the certificate from the connection broker . |
| Command failed due to a PCoIP agent failure | Occurs after authentication when selecting a resource to connect to, when the PCoIP Connection Manager cannot validate the certificate from the PCoIP agent. |
In addition to the previous error messages, the PCoIP Connection Manager writes an error message in the log file when a certificate validation failure occurs. The following table describes some of the exceptions that the PCoIP Connection Manager may log during certificate validation.
| Exception and Message | Possible Cause |
|---|---|
| CertificateException The certificate presented by the server does not meet minimum key length requirement. | The key length of the leaf certificate presented by the broker or agent is less than the BrokerCertMinKeyLength or AgentCertMinKeyLength setting in /etc/ConnectionManager.conf. |
| CertificateException No subject alternative DNS name matching |
The Subject Alternative Name attribute in the leaf certificate presented by the broker or agent does not match the host name of the broker or agent. If the Subject Alternative Name attribute is not present in the leaf certificate presented by the broker or agent, then the Common Name (CN) field of the certificate's Subject does not match the host name of the broker or agent. |
| CertificateExpiredException NotAfter: |
The timestamps of a certificate in the chain presented by the broker or agent indicate the certificate has expired. |
| CertificateNotYetValidException NotBefore: |
The timestamps of a certificate in the chain presented by the broker or agent indicate the certificate is not yet valid. |
| CertPathValidatorException Basic constraints check failed: this is not a CA certificate. | Either the root CA certificate or one of the intermediate CA certificate files in the chain presented by the broker or agent has not been authorized as a CA certificate – the CA Boolean of the certificate's Basic Constraints attribute has not been specified or is not 'true'. |
| CertPathValidatorException Signature check failed. | The signature of a certificate in the chain presented by the broker or agent does not match the content of the certificate – the content or signature may have been tampered with. |
| SunCertPathBuilderException Unable to find valid certification path to requested target. | One or more certificate files are missing from the chain presented by the broker or agent. Neither the root CA certificate nor any of the intermediate CA certificate in the chain presented by the broker or agent are present in the keystore. Either the root CA certificate or one of the intermediate CA certificate files in the chain presented by the broker or agent has not been authorized for signature verification – the keyCertSign bit has not been set in the certificate's Key Usage attribute. |
| ValidatorException Extended key usage does not permit use for TLS server authentication. | The Extended Key Usage attribute of the leaf certificate presented by the broker or agent is present but does not specify the Server Authentication purpose. |