Gravatar for michiel.lankamp@winvision.nl

Question by Michiel Lankamp, Nov 18, 2014 3:55 AM

Coveo for sitecore: every minute an error

In the logfile, I get the following error:

4992 09:50:25 Coveo.Framework.Connection.ClientSessionWrapper.ExecuteQuery(:0) WARN The connection to Coveo search service failed. The connection will be re-created. Try # 1; Error: Exception Name:FailedToImpersonateUsersException, What:There was no certificate provided by the client while trying to impersonate users. Either provide a trusted client certificate with impersonation rights or login with requested credentials. 4992 09:50:26 Coveo.Framework.Connection.ClientSessionWrapper.ExecuteQuery(:0) WARN The connection to Coveo search service failed. The connection will be re-created. Try # 2; Error: Exception Name:FailedToImpersonateUsersException, What:There was no certificate provided by the client while trying to impersonate users. Either provide a trusted client certificate with impersonation rights or login with requested credentials. 4992 09:50:26 Coveo.Framework.Connection.ClientSessionWrapper.ExecuteQuery(:0) WARN The connection to Coveo search service failed. The connection will be re-created. Try # 3; Error: Exception Name:FailedToImpersonateUsersException, What:There was no certificate provided by the client while trying to impersonate users. Either provide a trusted client certificate with impersonation rights or login with requested credentials. 4992 09:50:27 Coveo.Framework.Connection.ClientSessionWrapper.ExecuteQuery(:0) WARN The connection to Coveo search service failed. The connection will be re-created. Try # 4; Error: Exception Name:FailedToImpersonateUsersException, What:There was no certificate provided by the client while trying to impersonate users. Either provide a trusted client certificate with impersonation rights or login with requested credentials. 4992 09:50:27 Coveo.Framework.Connection.ClientSessionWrapper.ExecuteQuery(:0) WARN The connection to Coveo search service failed. The connection will be re-created. Try # 5; Error: Exception Name:FailedToImpersonateUsersException, What:There was no certificate provided by the client while trying to impersonate users. Either provide a trusted client certificate with impersonation rights or login with requested credentials. 4992 09:50:27 Coveo.Framework.Connection.ClientSessionWrapper.ExecuteQuery(:0) ERROR The connection to the search service could not be re-established after 6 tries.

And in my code I get the following error:

Exception Name:FailedToImpersonateUsersException, What:There was no certificate provided by the client while trying to impersonate users. Either provide a trusted client certificate with impersonation rights or login with requested credentials. Description: An unhandled exception occurred.

Exception Details: System.ServiceModel.FaultException`1[[Coveo.Framework.CoveoSearchService.ExceptionBaseDetail, Coveo.Framework, Version=3.0.0.0, Culture=neutral, PublicKeyToken=null]]: Exception Name:FailedToImpersonateUsersException, What:There was no certificate provided by the client while trying to impersonate users. Either provide a trusted client certificate with impersonation rights or login with requested credentials.

What can this be?

3 Replies
Gravatar for vseguin@coveo.com

Answer by Vincent Séguin, Nov 18, 2014 7:44 AM

Hello,

This is a known error that have been on some specific setups. Do you have SSLv3 disabled on that server? Are the queries working?

I highly suggest you enter a support case for this, we'll want to investigate that.

Gravatar for michiel.lankamp@winvision.nl

Comment by Michiel Lankamp, Nov 18, 2014 9:06 AM

Yes, we did. Within th eapplication we also talk to the Twitter API. Twitter doens't except SSL3 connections anymore, so we used:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;

That caused the problem. Used a work around for now.

Gravatar for vseguin@coveo.com

Comment by Vincent Séguin, Nov 18, 2014 9:33 AM

May i ask what is your work around?

Gravatar for michiel.lankamp@winvision.nl

Comment by Michiel Lankamp, Nov 18, 2014 10:27 AM

The problem we have is that System.Net.ServicePointManager.SecurityProtocol is used within the entire appdomain. So my first solution was to call the twitter API from a newly created appdomain.

Now I moved the twitter functionality to a web service on the server, this runs within it's own appdomain

Gravatar for rfortier@coveo.com

Answer by rfortier, Nov 18, 2014 11:36 AM

This is the comment I have in my SearchForm:

        // If not present, and run on Server 2012, the server didn't give us a reusable ssl session id !
        ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;

So it's not that it doesn't work, it's that performance will be lesser since renegotiation will be done each time we connect (on Server 2012). It's been some time; maybe that isn't true anymore. For now, just remove the flag, and some tests should be done to see if ssl session ids can be reused now, even on Server 2012, and if not, see if alternatives are possible.

Gravatar for rfortier@coveo.com

Answer by rfortier, Nov 18, 2014 9:26 PM

Do we have a setup where we can test at will ?

Here are a few things I'd like to try:

  1. Combine the Ssl3 and Tls SecurityProtocolType enum values at the same time.
  2. Add ServicePointManager.Expect100Continue; I saw that on a forum; I doubt it'd do anything, but it's worth a try.
  3. Confirm ssl session reuse with openssl s_client -reconnect -connect localhost:52810 -CAfile "C:\ces7\Config\Certificates\cert-ca.pem" -cert "C:\ces7\Config\Certificates\cert-ces.pem" -key "C:\ces7\Config\Certificates\cert-ces.pem"
Ask a question