Error connecting to 'www.e-conomic.com' on port '443', SSL

Question

A week ago our code that pushes data from our application to e-conomic by using e-conomics Java API worked great (creating a cashBookEntryDataArray with transactions from JavaAgent in Domino).

But now I get the following error:
Error connecting to 'www.e-conomic.com' on port '443', SSL invalid certificate, may need to cross-certify.

I think I got the same error some weeks ago but then it suddenly worked.... great..., but now it does not work again. My admin teels me that the only change that has been made was a restart of server and nothing else.

Does anyone has an idea on how to problem solve this? Where can I find the right certificate files? Should something be changed on the consumer-site or on the server-side? And has anything been changed on provider side?

More error details was added below:

24-06-2011 13:24:10   Agent Manager: Agent  error: WebServiceEngineFault
 faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
 faultSubcode:
 faultString: Error connecting to apos;www.e-conomic.comapos; on port apos;443apos;, SSL invalid certificate, may need to cross-certify.
 faultActor:
 faultNode:
 faultDetail:
24-06-2011 13:24:10   Agent Manager: Agent  error: Error connecting to 'www.e-conomic.com' on port '443', SSL invalid certificate, may need to cross-certify.
24-06-2011 13:24:10   Agent Manager: Agent  error:     at lotus.domino.axis.InternalFault.makeFault(Unknown Source)
24-06-2011 13:24:10   Agent Manager: Agent  error:     at lotus.domino.axis.transport.http.HTTPSender.invoke(Unknown Source)
24-06-2011 13:24:10   Agent Manager: Agent  error:     at lotus.domino.axis.strategies.InvocationStrategy.visit(Unknown Source)
24-06-2011 13:24:10   Agent Manager: Agent  error:     at lotus.domino.axis.SimpleChain.doVisiting(Unknown Source)
24-06-2011 13:24:10   Agent Manager: Agent  error:     at lotus.domino.axis.SimpleChain.invoke(Unknown Source)
24-06-2011 13:24:10   Agent Manager: Agent  error:     at lotus.domino.axis.client.AxisClient.invoke(Unknown Source)
24-06-2011 13:24:10   Agent Manager: Agent  error:     at lotus.domino.axis.client.Call.invokeEngine(Unknown Source)
24-06-2011 13:24:10   Agent Manager: Agent  error:     at lotus.domino.axis.client.Call.invoke(Unknown Source)
24-06-2011 13:24:10   Agent Manager: Agent  error:     at lotus.domino.axis.client.Call.invoke(Unknown Source)
24-06-2011 13:24:10   Agent Manager: Agent  error:     at lotus.domino.axis.client.Call.invoke(Unknown Source)
24-06-2011 13:24:10   Agent Manager: Agent  error:     at lotus.domino.axis.client.Call.invoke(Unknown Source)
24-06-2011 13:24:10   Agent Manager: Agent  error:     at lotus.domino.websvc.client.Call.invoke(Unknown Source)
24-06-2011 13:24:10   Agent Manager: Agent  error:     at com.e_conomic.EconomicWebServiceSoapStub.connect(Unknown Source)
24-06-2011 13:24:10   Agent Manager: Agent  error:     at JavaAgent.NotesMain(JavaAgent.java:51)
24-06-2011 13:24:10   Agent Manager: Agent  error:     at lotus.domino.AgentBase.runNotes(Unknown Source)
24-06-2011 13:24:10   Agent Manager: Agent  error:     at lotus.domino.NotesThread.run(Unknown Source)
24-06-2011 13:24:10   Agent Manager: Agent  error: Caused by:
24-06-2011 13:24:10   Agent Manager: Agent  error: Error connecting to 'www.e-conomic.com' on port '443', SSL invalid certificate, may need to cross-certify.
24-06-2011 13:24:10   Agent Manager: Agent  error:     at lotus.domino.axis.transport.http.NotesSocket.init(Unknown Source)
24-06-2011 13:24:10   Agent Manager: Agent  error:     at lotus.domino.axis.transport.http.HTTPSender.getSocket(Unknown Source)
24-06-2011 13:24:10   Agent Manager: Agent  error:     ... 15 more
24-06-2011 13:24:10   Agent Manager: Agent printing: Economic error:

Answer 1

We've experienced a similar problem over that last week or so that seems to be caused by a failure to verify the validity chain for the new e-conomic certificate.
Our workaround for now was to explicitly import the new e-conomic certificate in the Java keystore.
Ideally, the validity should flow from the chain beginning with the GlobalSign CA cert., but the e-conomic cert is signed by a very recent root certificate that is not yet part of many platforms (some JVMs included).
We'll probably add the new GlobalSign root certs to our JVM store going forward, and this is probably the right solution for you as well.

Answer 2

Thank you for your reply  

We have been working with the certificate problem for a while and now it is working again   . Our solution at the moment was to create the certificates locally with the server-id and then copy it back to the domino server adressbook. It seems like the real error was the root-certificate newer was created correctly. We hope and expect that this will work stable from now on... If not.. we will probably try to put it into the Java key ring or something... somehow like you suggested.

Answer 3

Hi both,

You're right - our new certificate has been causing problems for some Java integrations because of the load order. Great to see that you've both found workarounds.    

We're working hard on solving this issue and re-establish the correct load order. When we do that, you need to go back to the old way of validating, otherwise you may experience problems again.

We'll let you konw in due time before this change on our TechTalk blog - http//techtalke-conomiccom/.

Answer 4

An update on this:

We'll re-establish the correct load order of the certificates on Friday, 29 July at 10:30 PM CET. Please remember to change back to your old validation method at this point.

If any changes to this, we'll let you know on our TechTalk - http//techtalke-conomiccom/ blog.

Answer 5

We have now re-established the correct original certificate load order, and all certificate issues should now be resolved. For those of you with an integration solution, this means that you need to switch back to your old certificate validation method to be sure to avoid any issues.

We apologize for any inconvenience.

Tue Skaarup
e-conomic international a/s