Please be sure you’ve read the docs and API specs before asking for help. Also, please be sure you’ve searched the forum for your answer before you create a new topic.
Please consider addressing the following when creating your topic:
What have you tried?
What errors did you face (share screenshots)?
Share the details of your efforts (code / search query, workflow json etc.)?
What is the result you are getting and what were you expecting?
We recently replaced an expiring pem certificate on our VA. We now are seeing an issue with TLS connectivity between Sailpoint VA and Domain Controller - “unable to verify the first certificate”.
Please try with the below suggested approach to troubleshoot the issue:-
Can you try to check from VA whether you are able to hit request and able to receive response from the target source. ( commands eg. telnet or traceroute)
Ensure that the correct AD DC certificate has been imported in VA certificates folder. Verify whether it is a valid certificate before putting on VA:
Perform the test connection on port 636 for the intended certificate on LDAP browser. If the test connection is successful for SSL connection, it indicates that the certificate is from correct domain, and you can import it in the certificate folder on the VA server.
Ensure that imported certificate has the correct hostname as per IQSERVICE hostname. Below screenshot for your reference :
Import the full certificate chain (root + intermediate + server) into the VA’s truststore and restart the Connector Gateway:
On the VA, copy your PEM-encoded certificates into /home/sailpoint/certificates
(this directory is where the VA automatically imports source certificates).
Restart the Connector Gateway:
bash
sudo systemctl restart ccg
Verify in /home/sailpoint/log/ccg-start.log that the VA has successfully imported the cert files.
This ensures the VA trusts the domain controller’s entire chain and resolves the “unable to verify the first certificate” error.
Please be sure you’ve read the docs and API specs before asking for help. Also, please be sure you’ve searched the forum for your answer before you create a new topic.
