IBM Support

Error: "SSL certificate problem, verify that the CA cert is OK" when updating GX

Technote (troubleshooting)


When updating the Network IPS (GX), it may fail with the an error about an SSL certificate problem.


When applying an update on the GX, it may fail with the following message displayed in /var/log/messages:

Unable to download '/Proventia/G-Series/XPU_3_4.xml' from server ''. Reason: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.

Resolving the problem

There have been issues in the past where the GX is not using the correct .crt file to verify the server certificate on Add the following advanced parameter to the update settings policy and try the update again:

Name: Update.certificate.file
String value: /etc/crm/msl-ca-bundle.crt


  • The fields above are case sensitive. Enter them exactly as shown above.
  • Make sure that you do not leave any white spaces at the end of the lines or the parameter will not be accepted.

Document information

More support for: IBM Security Network Intrusion Prevention System

Software version: 4.3, 4.4, 4.5, 4.6, 4.6.1, 4.6.2

Operating system(s): Firmware

Reference #: 1612953

Modified date: 2015-11-02