Solved! Go to Solution.
If you get the error "Failed to establish chain from reply", install the issuing Certificate Authority's root and any intermediate certificates into the keystore. The root CA chain establishes the validity of the CA signature on your certificate. Although most common root CA chains are included in the bundled JVM's trust store, you may need to import additional root certificates, such as certificates belonging to a private CA. To do so:
When done importing the certificate chain, try importing the signed certificate again.
I have used below command to geneated the pair
> i have puted the alias name for SAN and CN as primary controller
keytool -genkeypair -keyalg RSA -keysize 2048 -validity 1825 -alias s1as -ext SAN=dns:Load balncer alias (example.com) -keystore keystore.jks -storetype JKS -dname "CN=priamry controller server name,OU=Test, O=XYZ, L=Country, ST=CITY, C=SE"
I have imported root certificate alereay but still getting issue
Is there anything missed by me in above command ?
just for info we have other envirment where no load balancer concept and for that it is applied successfully
Could you let us know how the LB and Controller are configured?
1) Are you terminating SSL on LB or is it SSL at LB as well as Controller?
2) After generating the CSR and getting it signed, did you import both the root and intermediate certificates in the chain?
3) Would you be able to list the contents of the Keystore and also share the logs where you see the error?
I am terminating SSL at LB and now i have applied CSR on with LB name and applied on both the HA controller Node with root certificate which is working as expected
thanks for response