Technical Articles
RFC Destination HR_DE_ECORE Error: SSSLERR_PEER_CERT_UNTRUSTED
When you are using the RFC Destination HR_DE_ECORE to transfer eSTATISTIK.core data to the German public administration, you might run into two problems these days (August/September 2023) because the old certificate that has been used until now has been changed and the certificate, that has been uploaded to the STRUST PSE in many systems is expiring. Here is my advice how to solve both problems or avoid them:
The HR_DE_ECORE RFC destination (type G, HTTP connection to external server) is not working anymore and you get the error message:
SSL handshake with core.estatistik.de:443 failed:
SSSLERR_PEER_CERT_UNTRUSTED (-102)
#The peer's X.509 Certificate (chain) is untrusted
##SapSSLSessionStartNB()==SSSLERR_PEER_CERT_UNTRUSTED
# SSL:SSL_read() failed
# => "Failed to verify peer certificate. Peer not trusted.
This is because the certificate on the server side (core.estatistik.de) has changed and is now signed by another root CA. To fix this you have to upload you first have to check which PSE is used for the RFC connection, in most cases it is called “SSL-CLIENT eSTATISTIK.core”. You can check this when you open the connection in SM59 at the bottom of tab “Logon & Security”:
PSE of HR_DE_ECORE destination
Here the PSE name is “SSL-CLIENT ECORE”, but it is possible you use the SSL-CLIENT Default PSE as well.
When you check the PSE in STRUST is should have at least one certificate in the list, most probably starting with “CN=core.estatistik.de…” or “CN=DFN-Verein Global Issuing CA…”. These are not used anymore, and you have to delete them and upload the new ones to the PSE.
Note 3120368 – B2A: SSL client – server certificate for eSTATISTIK.core explains you where you can get the new certificate: Go to https://erhebungsportal.estatistik.de/Erhebungsportal/#weLtn5Yv3K6D6Wra/sicherheit-der-daten/bei-einem-einsatz-von-core and download the “core-estatistik-de.zip” file using the link on the right-hand side.
In the zip file you will find two files, you only need the file called “USERTrust RSA Certification Authority.crt”. This is the root certificate that should be uploaded and not the certificate used by the HTTPS server itself. Uploading the root certificated is the preferred way to handle certificates as they are valid for a longer period, and this will not produce effort again in August 2024 when the certificate for core.estatistik.de expires again. You will only have to act if the root CA of the certificate is changing like it has this year.
After you uploaded the new certificate and deleted the old ones your PSE certificate list should look like this:
PSE with the new root CA certificate
When you now do a connection test in SM59 is will be successful again and you will get an HTTP 200 return value.
The second problem that you might run into is that you get an error about expiring certificates. This is the case when you have previously uploaded the certificate starting with “CN=core.estatistik.de…”. As it expires on the 11.09.2023 you will be alerted if you have not removed it in the previous step when you have uploaded the new certificate. Or maybe it was uploaded to another PSE as well.
You can check this running report SSF_ALERT_CERTEXPIRE with the default option, then you should see the certificate causing the problems marked red. Go to the corresponding PSE in STRUST and delete it from there.
I hope this helps you to get your destination running again! Let me know if you had any problems. Or did you find this blog post when you were looking for information on how to setup the HR_DE_ECORE destination from scratch and you would like to get more information about that?