SAS components that use SSL or Transport Layer Security (TLS) certificates, such as PROC HTTP or FILENAME URL code, might fail with the following error:
ERROR: OpenSSL error 336134278 (0x14090086) occurred in SSL_connect/accept at
line 6040, the error message is "error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed".
This error indicates that a certificate in the chain is not trusted, which can occur due to the following:
- a website certificate is missing a CA certificate
- a needed intermediate certificate is missing
- a certificate in the chained certificates for the website is expired
In SAS® 9.4M3 (TS1M3) and later, SAS ships the Mozilla Certificate Authorities (CA) trusted bundle and sets SSLCALISTLOC SAS to the location of these certificates: SASHOME/SASSecurityCertificateFramework/1.1/cacerts/trustedcerts.pem.
To better diagnose the cause of the above error, enable SAS enhanced logging by running the following code from a BASE SAS® session:
%log4sas();
%log4sas_logger('App.tk.eam.ssl', 'level=trace ');
run;
For other SAS environments, you can complete the steps in SAS Note 63587, "Obtaining additional debugging log information for the HTTP procedure."
If you see the below error in the enhanced logging output, refer to SAS Note 66213, "Certificates that shipped in SAS® 9.4 contains an expired certificate from Sectigo AddTrust (expired on May 30, 2020)."
verify_cb: TLS certificate verification: depth: 3, err: 10, subject:
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA
Root, issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP
Network/CN=AddTrust External CA Root
verify_cb: TLS certificate verification: Error, certificate has expired