Certification error on TMS using TLS.
We are receiving the following error message on TMS when trying to replicate using TLS.
'(400) Certificate Validation Error : TLS connection failure: _ssl.c:484: The handshake operation timed out'
There are no firewall ports with timeouts configured and on both the TCP dump from the VCS and the trace on TMS we can see the 3 way handshake taking place. Both TMS and VCS can communicate but this error message occurs.
The VCS was swapped out and configured, Could this possibly be the Windows server storing the certficate from the previous VCS and using that for the TLS thus causing TMS not recognising the certificate the VCS has and causing an error on the encryption?
HTTP traffic has been blocked on the firewall so when we turned TLS off we were unable to get replication up.
Has anyone seen this issue before? and if so, did purging the certificate from the Windows server work?
I look forward to your replies.
Sounds like a fun issue :)
It could be many things. Where you using trusted certs before? Do we know its even related to the certs? Do you have cert validation enabled? If not you should be able to test with a self signed one (can you access tms eith https in different browsers?
Anyway it might be better with a TAC case on this particular issue.
Sent from Cisco Technical Support iPhone App
- One thing to try is to delete self installed certificate from windows server and re-install them (so know the expired ones are not playing any rule in causing this problem).
- Enable the verificaion the certificate before you installed them
- Make sure you have intermediary certificate authorities up to your root certificate authority are installed.
which version of TMS and VCS are you using?
the VCS that is currently installed came from Cisco with x7.2,1, I downgraded to x7.1 before installing (so as to be on the same revision as the rest of the VCS group) although I think there are some security upgrades in the later version. Interestingly, the device SSL cert as seen via a browser for this particular VCS is set to expire next month (11/3/2013), whereas the certs from other VCS device I have just checked do not expire until 2029.
I have been looking to see if there is a way to regenerate a VCS set of keys, however, I have been unable to find anything.
It is presenting me the same error, with VCS (7.2.1) and TMS (14.1.1), which was the solution for this problem.
(400) Certificate Validation Error: TLS connection failure: [Errno 1] _ssl.c: 504: error: 14090086: SSL routines: SSL3_GET_SERVER_CERTIFICATE: failed Verify certificate