SSL Client Throws Exception "ERR_BAD_SSL_CLIENT_AUTH_CERT" (Doc ID 2287049.1)

Last updated on JULY 18, 2017

Applies to:

Oracle WebLogic Server - Version 12.2.1.2.0 and later
Information in this document applies to any platform.

Symptoms

Client throws ERR_BAD_SSL_CLIENT_AUTH_CERT" when requesting one application page after configurating two-way SSL by following KM Note 1237334.1.

The server certificate uses a certificate signed by trusted root CA. The client certificate is signed by a self-signed CA created by certgen.sh. Both the self-signed CA and client certificate are imported into the WebLogic Server's trusted store. And Client Certs Requested and Enforced set on the WLS managed server.  The self-signed CA and client certificate are both imported.


Exception in Server Side:

ExecuteThread: '3' for queue: 'weblogic.socket.Muxer', fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
%% Invalidated: [Session-94, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
ExecuteThread: '3' for queue: 'weblogic.socket.Muxer', SEND TLSv1.2 ALERT: fatal, description = bad_certificate
ExecuteThread: '3' for queue: 'weblogic.socket.Muxer', WRITE: TLSv1.2 Alert, length = 2
ExecuteThread: '3' for queue: 'weblogic.socket.Muxer', fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
ExecuteThread: '3' for queue: 'weblogic.socket.Muxer', called closeOutbound()
ExecuteThread: '3' for queue: 'weblogic.socket.Muxer', closeOutboundInternal()

 

Exception in Client side:

Message shown in Browser:    ERR_BAD_SSL_CLIENT_AUTH_CERT

Log:

javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: java.net.SocketException: Software caused connection abort: recv failed
......
Caused by: javax.net.ssl.SSLException: java.net.SocketException: Software caused connection abort: recv failed
......
Caused by: java.net.SocketException: Software caused connection abort: recv failed
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(Unknown Source)
at java.net.SocketInputStream.read(Unknown Source)
at sun.security.ssl.InputRecord.readFully(Unknown Source)

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms