javax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from oracle.test.com – xx.xxx.xx.xx. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.
<WARNING> <Uncaught exception in server handlerjavax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake>javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:849) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)
The above exceptions are the most common exceptions encountered during the setup of Weblogic Server in an environment. The stack does suggest what could be the reasons but the diagnostics are not mentioned.
To debug this issue, first we need to check the certificates used by Admin Server and the Node Manager. If we have Admin and the Node Manager using demo certificates, then the issue can be due to improper DNS mapping. We can use the nslookup to check the DNS entry. For testing purpose we can provide the ip address as the listen address for the admin server and the node manager and see if the issue is still occurring.
Also we will have to turn of host name verification and the basic validation check of the certificates. We can do it by specifying the following flag in startWeblogic.sh
-Dssl.debug=true -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.SSL.enforceConstraints=off
And the following flag in startNodeManager.sh
-Dssl.debug=true -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Dweblogic.security.SSL.enforceConstraints=off
If the Admin Server is using Custom Identity and Custom trust, then its better to configure the node manger with custom identity and custom trust as well.
By default the Node Manager is configured with Demo Identity and Demo Trust. To change it to custom identity and custom trust, we need to specify the following values in the nodemanager.properties file present in nodemanager home
CustomIdentityKeyStorePassPhrase = xxxxxx
CustomIdentityKeyStoreType = JKS
CustomIdentityPrivateKeyPassPhrase = xxxxxxx
Apply the same flags as above in the startup script of Admin Server and Node Manger.
Check from the console whether Node Manager is reachable or not.
Another option can be to use PLAIN communication between Admin Server and Node Manager.
We can change the Listen Type to PLAIN for the Node Manager from the console and set the secureListener=false in the nodemanager.properties file present in nodemanager home.