B2C Commerce Common SSL errors

Removed/Deleted/No SSL Certificate found under eCDN

Question:
When checking certificates in Embedded CDN Settings there's no uploaded certificate? How was it removed or what happened?

Impact:
Site is down.

Environment: 
All PIG instances

Answer:
Expired certificates will automatically be removed from the B2C Commerce Platform

Merchants are responsible for uploading and managing their SSL certificates on Production and Development hostnames.

To avoid any service interruptions due to expired certificates, please track notifications from your certificate provider about upcoming expirations.

Merchants need to install SSL certificate following below KBA to bring their sites back up:

• https://help.salesforce.com/apex/HTViewSolution?urlname=Steps-install-and-request-SSL-Certificate-on-Commerce-Cloud&language=en_US

This is a self service operation

'Error: 'ERR_SSL_VERSION_OR_CIPHER_MISMATCH'

Description:
The browser is throwing a message, "ERR_SSL_VERSION_OR_CIPHER_MISMATCH", noting that the certificate is not being accepted

Probable Cause:
You will see this error message when there's no valid SSL certificate for the sub-domain uploaded
Our eCDN Provider requires a certificate if you try to access the site via HTTPS. You will need to install a valid SSL certificate using the eCDN tool in Business Manager

1) This is most likely due to having a two level subdomain which is not supported via a normal wildcard certificate
2) Certificate has expired and got removed by CloudFlare.  CloudFlare has a job to remove certificates that have expired.  

Note: Any hostnames not covered by a certificate will not be accessible. This applies to any custom hostnames you use for your PIG instances. 

Resolution :
1) Two level domains are not supported under wildcard certificate. Cloudflare issued SSL certificates cover the root-level domain (eg- example.com) and one level of subdomains (eg- *.example.com). Additionally, most certificate authorities only support one level wild card certificates. A certificate needs to be installed to cover your domain.

For instance, your wildcard certificate when trying to cover, "www.mysite.site.com" would need a certificate covering, "*.mysite.site.com". In this case, a SAN certificate may make more sense given the flexibility in adding hostnames.

2) Upload a new certificate.
Note: Your new SSL certificate must not be expiring in less than 14 days from time of upload. Self signed SSL certificates are not supported.

Error while uploading a new SSL certificate with private key

Question:
Why do I receive an error like the following while uploading a new SSL certificate + private key?

• 'An error happened while processing your certificate'
• 'The provided key for the certificate is invalid.'
• 'CertificateKeyInvalidException'
• eCDN.error.http.400.CertificateKeyInvalidException

Answer:
Before you can upload a SSL certificate and the private key to Cloudflare the SSL certificate and the private key needs to be validated, if the validation fails the error is thrown

To validate the SSL certificate and the private key, please check the following:

• SSL certificate you paste in via BM is not encrypted
• MD5 sum are matching can be verified by executing the following commands:
  • >openssl rsa -noout -modulus -in com.key | openssl md5
  • >openssl x509 -noout -modulus -in com.crt | openssl md5
• Private key must be created in PKCS8 style. The style of the key can be identified in two methods

1. Open the key as a text file and check the first and the last line
2. Execute the following commands which displays the first and the last line in the key
   • head -1 com.key && tail -1 com.key​

The PKCS8 style will have the first line and last line as follows:
-----BEGIN PRIVATE KEY----- 
----END PRIVATE KEY-----

head -1 PKCS8.key && tail -1 PKCS8.key
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

In case of  PKCS1 style (rsa) the first and the last line will be as follows:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

head -1 PKCS1.key && tail -1 PKCS1.key
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

• In case, when your key is in old PKCS1 (rsa) style, use the following openssl command to convert it to PKCS8 style
  • openssl pkcs8 -topk8 -nocrypt -in com.key

Additional Info: Make sure to update the correct key/crt names in the commands provided above