| Applies To | |||
| Product(s): | SELECTserver | ||
| Version(s): | N/A | ||
| Environment: | N/A | ||
| Area: | N/A | ||
| Subarea: | N/A | ||
| Original Author: | John Lee, Bentley Technical Support Group | ||
Overview:
In the use case, the deployed SELECTserver running transmitting log encounters the following message.
Data Update Service - WARNING with status code 2 - service start time: - An error occurred retrieving the license
from Bentley.com: - A server certificate could not be validated.
Problem Description
"A server certificate could not be validated" error for Data Update Service and Request/Update License
The same issue may affect SELECTserver (SS) Gateway only against hosted, in this case in SS GW log:
Error checking SELECTserver (SS) version: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
This happens only if SS or SS GW is configured to talk with bentley.com in HTTPS.
Solution
This may happen when user's system does not trust the Certification Authority that issued *.bentley.com certificate (for
example a system that has not been updated for a long time as the list of Certification Authorities is being kept up-to-date by Windows Update).
To resolve use Windows Update or manually install the Certification Authority's (that issued certificate for Bentley)
certificate into the Trusted Certification Authorities Store on the SS or SS GW machine (for the computer) follow the steps below.
Using the Root Certificates [March 2011] (KB931125) from www.google.com/url Comodo CA:
The comodo CA (and its parent CA AddTrust/USERTrust) is widely known/trusted, so most likely affected users may
simply be able to run windows updates and/or browser updates to get the proper CA certificates installed.
Users could also download and manually install the CA certificate from comodo onto the affected SELECTServer as follows:
Part 1 - download the CA certificates from comodo.com
1) use a web browser to navigate to http://support.comodo.com
2) click on Downloads in the top section of the page
3) click on Root & Intermediate Certificates at the top left of the page
4) click on InstantSSL/EnterpriseSSL/IntranetSSL at the top right of the page
5) click on AddTrustExternalCARoot at the top of the page
6) click on the Download button, save the AddTrustExternalCARoot.crt file to disk
7) click Back in the browser
8) click on Comodo High-Assurance Secure Server CA near the top of the page
9) click on the Download button, save the COMODOHigh-AssuranceSecureServerCA.crt file to disk
Part 2 - install the CA certificates to local machine
1) open a blank MMC - click on Start menu> Run > type MMC <enter>
2) click File > Add/Remove Snap-in, click Add
3) click the Certificates snap-in, click Add
4) choose Computer Account certificate store, click Next/Finish
5) expand the Certificates snap-in, right-click on Trusted Root Certification Authorities, click All Tasks >Import
6) in the Certificate Import Wizard, click Next and Browse to the location where the AddTrustExternalCARoot.crt file is
saved (from Part 1, step 6 above)
7) select Automatically select the certificate store based on the type of certificate, click Next/Finish
8) expand the Certificates snap-in, right-click on Trusted Root Certification Authorities, click All Tasks > Import
9) in the Certificate Import Wizard, click Next and Browse to the location where the COMODOHigh-AssuranceSecureServerCA.crt file is saved (from Part 1, step 9 above)
10) select Automatically select the certificate store based on the type of certificate, click Next/Finish
after completing the above process, restart the SELECTServer.
The installercertificate zip file can be found at: