cancel
Showing results for 
Search instead for 
Did you mean: 
marcus69
Level 9

CRLs for the certificate chain filter can not be loaded

Jump to solution

Hello Community,

i have got a cluster of several mwg7 running [Version: 7.1.0.2.0 (10666)] and every morning the dashboard agonizes me with the following warnings on each machine:

2 of the recently updated CRLs for the certificate chain filter can not be loaded (Origin: Certificate chain filter)

I know it is just a warning and it does not bother the functionality of  the mwg-cluster, but as every administrator i want to see as much green  alert peaks on my dashboard as possible

The mwg-core.errors.log shows up the following entries on that:

[2011-08-08 08:49:11.070 +02:00] [CertificateFilterPlugin] [CannotLoadCRL] Cannot load CRL for CA with digest 'b18d9d195669ba0f7829517566c25f422a277104' ('error:0408D077:rsa routines:FIPS_RSA_VERIFY:wrong signature length')

[2011-08-08 08:49:11.078 +02:00] [CertificateFilterPlugin] [CannotLoadCRL] Cannot load CRL for CA with digest 'd29f6c98befc6d986521543ee8be56cebc288cf3' ('error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag')

Unfortunately that does not help to identify the corrupted data record on the list of known certificate authorities.

It would be great if someone could help tracking down this issue to get rid of the wrong CRL URIs

Kind regards,

   Marcus

0 Kudos
1 Solution

Accepted Solutions
asabban
Level 17

Re: CRLs for the certificate chain filter can not be loaded

Jump to solution

Hello,

"B18D9D195669BA0F7829517566C25F422A277104" should be:

Subject
Common Name (CN)VeriSign Class 3 International Server CA - G3
Organization (O)VeriSign
Organizational Unit (OU)Terms of use at https://www.verisign.com/rpa (c)10
Issuer
Common Name (CN)VeriSign Class 3 Public Primary Certification Authority - G5
Organization (O)VeriSign
Organizational Unit (OU)(c) 2006 VeriSign

"D29F6C98BEFC6D986521543EE8BE56CEBC288CF3" should be:

Subject
Common Name (CN)-
Organization (O)TC TrustCenter for Security in Data Networks GmbH
Organizational Unit (OU)TC TrustCenter Class 4 CA
Issuer
Common Name (CN)-
Organization (O)TC TrustCenter for Security in Data Networks GmbH
Organizational Unit (OU)TC TrustCenter Class 4 CA

It is expired on Jan/01/2011.

I hope this helps to identify the entries.

Best,

Andre

Nachricht geändert durch asabban on 08.08.11 06:20:57 CDT
0 Kudos
32 Replies
asabban
Level 17

Re: CRLs for the certificate chain filter can not be loaded

Jump to solution

Hello,

"B18D9D195669BA0F7829517566C25F422A277104" should be:

Subject
Common Name (CN)VeriSign Class 3 International Server CA - G3
Organization (O)VeriSign
Organizational Unit (OU)Terms of use at https://www.verisign.com/rpa (c)10
Issuer
Common Name (CN)VeriSign Class 3 Public Primary Certification Authority - G5
Organization (O)VeriSign
Organizational Unit (OU)(c) 2006 VeriSign

"D29F6C98BEFC6D986521543EE8BE56CEBC288CF3" should be:

Subject
Common Name (CN)-
Organization (O)TC TrustCenter for Security in Data Networks GmbH
Organizational Unit (OU)TC TrustCenter Class 4 CA
Issuer
Common Name (CN)-
Organization (O)TC TrustCenter for Security in Data Networks GmbH
Organizational Unit (OU)TC TrustCenter Class 4 CA

It is expired on Jan/01/2011.

I hope this helps to identify the entries.

Best,

Andre

Nachricht geändert durch asabban on 08.08.11 06:20:57 CDT
0 Kudos
marcus69
Level 9

Re: CRLs for the certificate chain filter can not be loaded

Jump to solution

HI Andre,

thanks for your quick reply. I've deleted the corresponding URIs on the list of known CAs ... we'll see tomorrow if the warnings have been gone.

Is there a certain link or site on the Internet that identifies the hash values ?

Regards,

   Marcus

0 Kudos
jont717
Level 12

Re: CRLs for the certificate chain filter can not be loaded

Jump to solution

I had the same issue before.

Deleting some of the expired certificates solved the issue.

0 Kudos
asabban
Level 17

Re: CRLs for the certificate chain filter can not be loaded

Jump to solution

Hi Marcus,

I am not aware of a current list where you can explicitly search. Most lists only list the Subject and Issuer CN etc, and you need to have a look into the details to see the SHA1 fingerprint. Luckily I have currently been working on this topic and we started to build up our own Certificate Storage, which also has the SHA1 fingerprint in a separate column of the database. Unfortunately this is availble internally only, so I cannot share.

The good thing is that - with one of the next upcoming builds - you will be able to connect your MWG with this database, which means that we take care for maintaining the certificate storage. This means there is no longer need for you to manually take care of maintaining CRLs, CAs, remove expired CAs, etc.

I hope that helps.

Best,

Andre

0 Kudos
marcus69
Level 9

Re: CRLs for the certificate chain filter can not be loaded

Jump to solution

Hi Andre,

well thats good news, so we are looking forward to the next upcoming builds 

By the way, all the warnings from my first posting have been gone.

Thanks a lot for your help

Kind Regards,

   Marcus

0 Kudos
asabban
Level 17

Re: CRLs for the certificate chain filter can not be loaded

Jump to solution

Hi Marcus,

that sounds good. Thank you for your feedback, it is always appreciated :-)

If you find the chance, do you mind setting the thread to "answered"? There should be a button somewhere to do so.

Best regards,

Andre

0 Kudos
maitane
Level 7

Re: CRLs for the certificate chain filter can not be loaded

Jump to solution

Hi Andre!

We´re having the same problem. In all our 8 appliances appears the warning saying  "1 of the recently updated CRLs for the certificate chain filter can not be loaded (Origin: Certificate chain filter)"

If I´m not wrong I should delete the expired CA but I can´t find where should I delete it

I know this is an old and solved post but I would apreciate If you can guide me to remove this warning and be able to get a full green dashboard

0 Kudos
asabban
Level 17

Re: CRLs for the certificate chain filter can not be loaded

Jump to solution

To delete CAs you need to go to Policy -> Lists -> Certificate Authority. The lists here contain the CAs which are updated. In case you know which one to delete, just remove it from the list. In case you do not know which causes the error. the update.log should give an identifier which I can use to determine which CA is giving the errors. Please let me know the identifier in that case and I will look it up.

Best,

Andre

0 Kudos
wollerd
Level 7

Re: CRLs for the certificate chain filter can not be loaded

Jump to solution

Hello Andre,

Would you be so kind as to provide me with the CA that is giving me this error? 

 

[CertificateFilterPlugin] [CannotLoadCRL] Cannot load CRL for CA with digest '24ba6d6c8a5b5837a48db5fae919ea675c94d217' ('error:0D0680A8:asn1 encoding ro                                             utines:ASN1_CHECK_TLEN:wrong tag')

Thank you for your assistance,

Regards,

David

0 Kudos