Troubleshooting certificate validation errors

This topic assumes that you have followed the instructions at Generate key and certificate

"Unable to connect" message

A client application, such as P4V, might display a message that says "Unable to connect to the server servername as user 'username'. The cause might be incorrect permissions.

To verify that the permissions are correctly set on the public and private keys in the directory specified by the P4SSLDIR environment variable:

  1. chmod 700 P4SSLDIR or chmod 500 P4SSLDIR

  2. cd P4SSLDIR

  3. chmod 600 CERT-FILE

  4. chmod 600 PRIVATE-KEY

  5. Restart the server.

  6. Test connectivity with the p4 trust and p4 info commands:

    p4 -p ssl:P4PORT trust -fy
    p4 -p ssl:P4PORT info

Self-signed certificate fails

Authentication fails if a self-signed certificate is not trusted.

If you run a command similar to:

 p4 -p ssl:maria:2222 users

and the output is similar to:

The authenticity of '10.1.10.1:2222' can't be established

Try allowing the connection use the p4 trust command:

  1. Make sure that your client is at release 2021.2 or later, so that chain certification is supported. P4V requires release 2021.4 or later.

  2. Use p4 trust if the certificate is self-signed. To determine whether a self-signed certificate is involved, capture ssl=4 trace output (see Command Tracing), and examine the Common Name (CN) values. If the "CN=" value of "subject" and "issuer" are the same, the certificate is self-signed.

Certificate chain fails validation

You can determine whether a Certificate Common Name (CN ) is missing. For example, if you run a command similar to:

p4 -p ssl:maria:2222 users

and the output is similar to:

Copy 
The authenticity of '10.1.10.1:2222' can't be established,
...
To allow connection use the 'p4 trust' command.
Certificate chain failed validation.
... unable to get local issuer certificate, depth=1 CN = maria Root CA Intermediate issuer= CN = maria Root CA
...

The second CN in the message is the missing certificate. In this example, maria Root CA is missing.

If the missing certificate is an intermediate certificate, verify whether your certificate.txt contains all the intermediate certificates. For more detail on intermediates within the certificate.txt file, see Troubleshooting certificate validation errors.

If the missing certificate is the root certificate, import the missing certificate into your trusted OS store. In this example, import the maria Root CA certificate. To learn more, see Trusted Certificates and Importing Certificates in the Perforce Knowledge Base.

P4PORT does not match

If you run a command similar to:

 p4 -p ssl:maria:2222 users

and the output is similar to:

Copy 
The authenticity of '10.1.10.1:2222' can't be established,
...
To allow connection use the 'p4 trust' command.
...
Certificate's subject (maria.company.com) doesn't match P4PORT (maria).

  1. Alter your P4PORT by using the certificate subject's CN in the certificate for the P4PORT's host value. For example, p4 -p ssl:maria.company.com:2222

  2. Obtain a new server certificate with a Subject Alternate name that includes "maria"

  3. Use p4 trust.