Install intermediate CA certificate

Summary: You may need to install an intermediate CA certificate into the GSA if you encounter any of the following:

  • In Index > Diagnostics > Index Diagnostics, you see either of the following error messages:
    • Excluded: Unhandled protocol.
    • Error: Cookie Manager failed please contact Google Support.
  • In Content Sources > Diagnostics > Real-time Diagnostics, you see either of the following error messages:
    • Fetch completed. State of the url is unhandled_protocol.
    • Error fetching cookies: Couldn't fetch [URL]. Final : Error since no cookies were generated
    • Fetch completed. State of the url is cookies_failure.
  • You are unable to submit feeds to the GSA, and you cannot connect to TCP ports 19900 and 19902.

Cause: This happens because the SSL library that the GSA uses is unable to verify that the GSA's SSL certificate is valid without the appropriate CAs.

Fix: Follow these steps to install the certificate that signed the GSA's certificate in Administration > Certificate Authorities:

  1. Determine the CA certificate that signed the GSA's SSL certificate. This can be done many different ways:
    1. Download the complete certificate chain.
      1. Using openssl,
        1. Run the command openssl s_client -connect gsa-hostname:443 -showcerts
        2. In the certificate chain section, look for the second certificate (which is number "1"). The certificate text that you need in step 2 is all the text between the BEGIN CERTIFICATE and END CERTIFICATE lines, including those two lines. Check out this troubleshooting document to see an example of the openssl output.
        3. If there is no second certificate, then use option b below.
      2. Use your web browser (instructions here are for Google Chrome, but Internet Explorer and Firefox will have similar steps):
        1. Go to https://gsa-hostname:8443/ in your web browser.
        2. Click on the lock icon in the address bar and examine the certificate.
        3. Under the Details tab, choose the second to last certificate in the Certificate Hierarchy, and click the Export... button to save the file on your computer. Proceed to step 3, and use this exported file as the text file.
    2. Ask the person or company that signed the GSA's SSL certificate for a copy of the intermediate CA certificate that signed it.
  2. Create a text file containing just that CA certificate.
  3. Upload that text file in Administration > Certificate Authorities by clicking on the button to Add more Certificate Authorities, and click Save Settings.

Versions affected: 7.0.14, 7.2.0, 7.4.0, 7.6.0

Was this helpful?
How can we improve it?