Saturday, November 10, 2012

ORA-29024: Certificate validation failure - again, with a twist

Always check out the original article at for latest comments, fixes and updates.

I love when a perfectly working application suddenly begins complaining about:

ORA-29024: Certificate validation failure 

Last year it took me a while to fix it as I had to figure out how to cope with the absence of a wallet manager on Oracle XE.
Now things were different.

I began searching OTN forums for other poor souls enduring the same hardships but it looks like I was the only one.
Curious to see how often this happens to me.

Well, I don't want to make this story longer than necessary, because initially I was misled by the fact that one of these default trusted certificates was expired and for some reason I thought it was the cause of the problem, but it wasn't.
It turns out that at yesterday someone must have changed the SSL certification authority or whatever it's called and as a result the trusted certificates installed with Oracle 11gR1 don't work any more when accessing servers in the domain via HTTPS from within PL/SQL procedures (using UTL_HTTP).
After a while I realized that if I can still access them using Firefox it means that the trusted certificates installed with Firefox must be sufficient.
Firefox's certificate viewer shows Oracle's certificate chain

After inspecting the trusted certificate chain being used by clicking on the lock symbol in the address bar of Firefox, I exported each and every certificate in the chain in X.509 format (as single certificates, not the chain) and later I imported them in the wallet using the utility orapki (this action must be carried out on a full fledged Oracle Database Server edition, NOT XE where orapki is not included), starting with the certificate that lies on top and working bottomwards.

orapki wallet add -wallet /etc/oracle/owm -trusted_cert -cert CAroot.cer
orapki wallet add -wallet /etc/oracle/owm -trusted_cert -cert COMODO.cer
orapki wallet add -wallet /etc/oracle/owm -trusted_cert -cert

After updating cwallet.sso and ewallet.p12 and bouncing the database, my services resumed working correctly.

So far so good, in the end it took me just 4 hours to become an improvised "expert" of trusted certificate chains replacements.
Funnily enough, today it looks like the access to doesn't need anymore HTTPS (I swear yesterday they did!), while forums still do.

I'd love to know what happened yesterday behind the curtains.

See message translations for ORA-29024 and search additional resources.


Guido Leenders said...

Thanks for your story. Oracle Wallet can be very frustrating... On I have added a summary of my experiences with it and resolutions of problems.

Guido Leenders said...

Thanks for your post. I have written a wrap-up of experiences with Oracle Wallet and solutions for problems on Hopefully it helps someone.

yes you can!

Two great ways to help us out with a minimal effort. Click on the Google Plus +1 button above or...
We appreciate your support!

latest articles