Appearance

SSL Troubleshooting

Use these steps to fix common SSL issues on Turbo Server.

Portal Has Limited Functionality After Installing Certificates

Problem

  • You cannot sign in to the portal or launch applications after installing SSL certificates. Portal logs show errors such as:
[ERROR] default - Failed to load JWT public key: Error: self signed certificate in certificate chain
[ERROR] default - Failed to authenticate: self signed certificate in certificate chain

Or:

[ERROR] default - Failed to authenticate: {User} unable to verify the first certificate

Solutions

  • If the certificate is self-signed, install the root certificate into the Trusted Root Certification Authorities store on both Hub and Portal servers.
  • If the certificate requires an intermediate, install it into the Intermediate Certification Authorities store on both servers.
  • If you see unable to verify the first certificate, validate the chain with OpenSSL:
> openssl s_client -showcerts {hubserverhost}:443

CONNECTED(00000005)
depth=0 CN = hubserverhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = hubserverhost
verify error:num=21:unable to verify the first certificate
verify return:1

The error can be further validated using ssllabs.com. Expand the certification paths section to see which certificate is missing, then request the correct chain. Convert .p7b chain files to .crt with:

openssl pkcs7 -print_certs -in old.p7b -out new.crt

Related

Portal Does Not Load Web Pages After Installing Certificates

Problem

  • The portal fails to load and proxy-apache.log shows PEM format errors such as:
[ssl:emerg] [pid 2828:tid 1084] AH02561: Failed to configure certificate ...
[ssl:emerg] [pid 2828:tid 1084] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line ...
AH00016: Configuration Failed

Solutions

  • Convert DER-encoded certificates to PEM with:
openssl x509 -inform der -in certificate.cer -out certificate.crt

Problem

  • The portal fails to load because the key file is encrypted; logs show errors such as:
[ssl:emerg] [pid 1976:tid 1108] AH02577: Init: SSLPassPhraseDialog builtin is not supported on Win32 ...
[ssl:emerg] [pid 1976:tid 1108] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag

Solutions

  • Remove the encryption from the key file:
> openssl rsa -in encrypted-key.key  -out key.key

Related

Admin Portal Does Not Load After Installing Certificates

Problem

  • Accessing the Admin portal shows The remote certificate is invalid according to the validation procedure.

Solutions

  • Confirm the certificates match the configured Internal Web Service Root URL and are not expired.

  • Ensure certificates are trusted by Windows and that the full chain is installed.

  • Temporarily switch to HTTP to restore access and correct configuration:

    powershell
    cd "C:\\Program Files (x86)\\Turbo Server"
Server.exe admin --server
Server.exe admin --server <hub-name> http://<hub-web-root>

Related

Images Fail To Push And Containers Fail To Upload

Problem

  • Image uploads fail with SSL handshake errors in %LOCALAPPDATA%\\turbo\\logs\\, for example:
02/16/2021 11:27:45.6419 - Debug    - 0x1118: {"log":"*** Sync encountered an error: Received fatal alert: handshake_failure","msSinceStart":1795}
02/16/2021 11:27:45.9703 - Debug    - 0x1118: {"log":"(javax.net.ssl.SSLHandshakeException)\n\njavax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
...
02/16/2021 11:27:45.9703 - Debug    - 0x1118: exit -1

Solutions

  • Validate the certificate chain using ssllabs.com and fix any missing intermediates or ciphers.

Related

Server Does Not Start After Changing Certificate Or After Installation/Upgrade

Problem

  • The server fails to start and proxy-apache.log shows certificate format errors:
[Mon Apr 26 19:48:03.852387 2021] [ssl:info] [pid 9760:tid 1340] AH01887: Init: Initializing (virtual) servers for SSL
[Mon Apr 26 19:48:03.853388 2021] [ssl:info] [pid 9760:tid 1340] AH01914: Configuring server {server}:443 for SSL protocol
[Mon Apr 26 19:48:03.853388 2021] [ssl:debug] [pid 9760:tid 1340] ssl_engine_init.c(1758): AH10083: Init: ({server}:443) mod_md support is unavailable.
[Mon Apr 26 19:48:03.854385 2021] [ssl:emerg] [pid 9760:tid 1340] AH01895: Unable to configure verify locations for client authentication
[Mon Apr 26 19:48:03.854385 2021] [ssl:emerg] [pid 9760:tid 1340] AH02312: Fatal error initialising mod_ssl, exiting.
AH00016: Configuration Failed

Solutions

  • Inspect the certificate files; if any are not plain text PEM, convert them with:
openssl x509 -inform der -in certificate.crt -out certificate.pem.crt

Related

Self-Signed Certificate Disappears From Windows Certificate Store

Problem

  • Windows removes self-signed certificates placed in the Third-Party Root Certification Authorities store during updates.

Solutions

  • Install self-signed certificates into the Trusted Root Certification Authorities store instead.

Related

Generating A Self-Signed Certificate

Problem

  • You need a test certificate for non-production environments.

Solutions

  • Generate a self-signed certificate with OpenSSL. Use Subject Alternative Name entries for all web service roots and Domain URLs. When prompted for the Common Name, provide the Domain URL or portal web service root.

The example below would create a self-signed certificate for a farm of one hub server, one portal server, two application servers, and the domain URL:

Related

openssl req -x509 -newkey rsa:4096 -nodes -keyout self-signed-key.pem -out self-signed-cert.pem -days 3650 -addext "subjectAltName = DNS:turbo.domain.com,DNS:turbo-portal.domain.com,DNS:turbo-hub.domain.com,DNS:turbo-app1.domain.com,DNS:turbo-app2.domain.com"

Turbo.net © 2025