+ Start a Discussion
AndreyVolAndreyVol 

Outbound Message: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

Hi,

I am looking for some help with the following:

I get the following error when attempt to send outbound message to my test server: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

- I have a real certificate installed on the server.
- I am also able to view the listener description when I point browser on my dev workstation to the test server (same URL as the endpoint specified in my O/B message).
- In the IIS log, I can see all the hits from my dev workstation, but no hits from either of SFDC IPaddresses (204.14....)

Appreciate any info that will help me understand and debug this, or at least point me in the right direction.

Thanks!
SuperfellSuperfell
I suspect you may have your endpoint configured to request a client certificate from the OM Delivery process, which is not currently supported.
colingcoling
I am getting the same error message (javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated). I have not configured the endpoint (https://....) beyond the norm, and I successfully get its response when I invoke it from my browser. I see the log entries for my browser access, but not from SFDC.

My sample php script produces the following response ($tf = true):
function respond($tf) {
         print '<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
         <soapenv:Body>
         <notifications xmlns="http://soap.sforce.com/2005/09/outbound">
         <Ack>' . $tf . '</Ack>
         </notifications>
         </soapenv:Body>
         </soapenv:Envelope>';
}

Any help would be much appreciated.

Thanks

Colin Goldberg

SuperfellSuperfell
Your SSL certificate chain is not verifiable given the standard set of root certificates we use. You likely have a self signed cert, which is not supported.
colingcoling
I purchased the certificate (XRamp) through my host provider (this is not a self-signed certificate). Could this be a possible issue? - ie. incompatibility with Salesforce certificate provider?

Colin Goldberg


SuperfellSuperfell
The list of valid root certs is on the Wiki, you may have a cert that's not signed by any of these, or you may have issues aroun d your server not correctly returning all the intermediate certs in the chain.
colingcoling
Thank you! I see that XRamp does not appear to be on the list, so I will be switching my certificate authority to one that is (My existing certificate is expiring soon anyway).

A related question:
As I am using PHP (5.2) for my listener, are you aware of any issues that might arise in this respect. For example, does Salesforce's certificate have any restrictions/differences in communicating with anything other than Java or .Net (even if an authority on your list - say GeoTrust - is used)? Are there specific versions of, say, curl or openssl that I would need to be fully compliant?

Many thanks for your help.

Colin Goldberg


colingcoling
Thanks to some investigation by my host provider, I am now able to receive an outbound message in my listener. For those who are following this thread, the answer for me was that XRamp - now SecureTrust - have changed their 'root certificate' to one that is compliant with SF (their previous root certificate had had 'format problems'). To quote my provider "This new format utilizes the new single Cross cert issued by Entrust to validate the certificate. Entrust is included in the list of accepted validating authorities...".

My certificate was (simply!) reissued, and is the "exact identical certificate as before with different validation".

I hope this helps anyone who may have encountered a similar problem.

Regards

Colin Goldberg



prbprb
Which certificate authority did you wind up using?  What type of cert was it? Mine is through network solutions and it doesn't work either. 
swapnil_salesfswapnil_salesf
I am also getting same exception while using SalesForce outbound message and HTTPS web service.
We are using self-signed certificate.

I have gone through this link on same forum- Outbound message error, peer not authenticated
but unable to find out the solution.

Any pointers will be really helpful.

Thanks,
Swapnil

prbprb
Salesforce doesn't support self-signed certificates yet.  Also, they have a list of approved certificate authorities that is a subset of what is typically supported in your web browser so be careful to buy the right type of cert.

Steven LawranceSteven Lawrance
As a follow-up, if you are experiencing general SSL or TLS connection issues with outbound messages, delegated authentication, or Apex callouts, please see my post at http://community.salesforce.com/sforce/board/message?board.id=general_development&message.id=19589#M19589 and see if that describes (and hopefully fixes) your issue. Thanks!
NPMNPM

Is having the endpoint configured to request a client certificate from the OM delivery process supported at this time or, if not, are there plans to support it? 

 

More directly, our service developer is asking can Saleforce OM make an authenticated call or the best way to authenticate the call is from Salesforce.  

Steven LawranceSteven Lawrance

Hi NPM,

 

As far as I'm aware, all outbound calls that go from Salesforce.com to your endpoint server will send the proxy.salesforce.com client certificate if your endpoint requests a client certificate. This includes workflow outbound messaging. It's possible to perform an exact match against the proxy.salesforce.com certificate that you can download from Setup | App Setup | Develop | API | Client Certificate.

 

If you want to ensure that the request is coming from your organization and not a random Salesforce.com customer, additional steps can be used. It is possible to send a session ID with your outbound message, and with that session ID, it's possible for your endpoint to use that session ID to call getUserInfo() on your Salesforce.com instance's API endpoint (na5-api.salesforce.com, ap0-api.salesforce.com, etc) to get the user ID and organization ID, which can both be compared against what you expect to see. If they don't equal, then either the outbound message's user changed, another user in your org is sending that message to your endpoint, or a user in another customer org is sending that message.

 

Hopefully, this helps.

 

NPMNPM
Thanks - I'll pass it on, I'm sure it will help.
Thejasvini Nagaraju0Thejasvini Nagaraju0
Hi All,

We were getting javax.net.ssl.SSLPeerUnverifiedException: SSL Peer shut down incorrectly  >>
The issue was though we had shared Certificate (self-signed) as well as WSDL from the outbound message with the third party Integration systems/applications.  while outbound messages were getting triggered from SFDC the request was going to third-party system without the SSL certificate in the request XML,  for this -  we had to go to Certificate and Key Management> API Client Certificate    -- select the certificate name 

User-added image