Hello-The following code run successfully on a desktop PC with the Notes 5 or 6 client if ran manually or setup to run on schedule locally. Desktop has Windows XP, IE 6.X and the correct internal certificate exists on the PC needed for the https request to be successful.
When this agent is set to run on a schedule on the server, this error is received: “msxml4.dll: The certificate authority is invalid or incorrect.”
The internal organization certificate is installed on the server per our Administrators. They did have to install the msxml4.dll because the server only had msxml2.dll. Our Admins added the certificate to the keyring file, added it to the control panel/internet options as a trusted root certificate,server rebooted, but this error persists.
If the scheduled agent makes the request to a non-SSL port on the other server, it works successfully.
Domino Server is version 6.5.3, OS is Windows 2000 and it has IE v5.0.
snipit of code making the HTTPS request:
Set objHttp = CreateObject(“MSXML2.ServerXMLHTTP.4.0”)
url = |https://internalURL|
request = |<?xml version="1.0" encoding="ISO-8859-1" ?>|
objHttp.open “GET”, url, False, “username”, “password”
objHttp.setRequestHeader “Content-type”, “application/x-www-form-urlencoded”
objHttp.send(request)
Any suggestions or ideas are greatly appreciated.
Thanks!
Subject: “Certificate Authority is invalid or incorrect” error in scheduled agent
Tracy,There are a few things that you need to be aware of for SSL certificates to work.
On the client you have a MS Certificate store which should hold both the CA certificate and the server certificate. A version of the server certificate is imported into your Domino server via the keyfile.kyr file.
When you work locally on the client, you check the certificate against the MS certificate store and not the external server at your end. When it gets to the server, it checks its certificate store with the presented certificate, if they match you are granted access.
Working from the Domino server however, it is a different story, you initiate a SSL certificate from the Domino server according to the keyfile.kyr file. The other server now checks this certificate, if it is OK it lets you through.
The bottom line is that the certificate generated by your Administrators (or the certificate needed by msxml2.dll) are bad.
Regards
Rolf Pfotenhauer
Subject: RE: “Certificate Authority is invalid or incorrect” error in scheduled agent
Thanks Rolf for your response and confirming the Domino server does not use the certificate store for SSL connections to another server.
Our Admins said they have added the required internal certificate to the keyfile.kyr. Is there any way I can verify that visually from a user/developer perspective (i.e. look for some entry in the FRS Address book?)
Is there any code I can write in an agent to examine the contents of the keyfile.kyr file itself?
Is a good test to hit the HTTPS URL in the IE browser on the server directly or is that a client-client (using certificate store) connection instead of a server to server (keyfile.kyr)?
Thanks for your help!
Tracy