https://community.checkpoint.com/t5/Mobile/DynamicID-with-SMS-OTP/m-p/262610#M1313 <P><SPAN>Hi everyone!</SPAN></P> <P><SPAN>We have an issue with DynamicID and SMS provider certificates with the error message "<STRONG>DynamicID sending failure. To retry, please type r and select Submit</STRONG>". Here’s the setup:</SPAN></P> <UL> <LI><SPAN>R81.20 JHF Take 118</SPAN></LI> <LI><SPAN>Cluster</SPAN></LI> <LI><SPAN>Mobile Access with DynamicID + SMS OTP (user information like phone numbers are on CP database, not LDAP)</SPAN></LI> </UL> <P><SPAN>We have the same setup both on prod and in a test lab. The configs are exactly the same. The test lab is working but the prod seems to have an issue with certificates.</SPAN></P> <P><SPAN>In iked1.log file we see these lines:</SPAN></P> <PRE>[iked1 13483 4066513344]@Hostname[11 Nov 10:36:59][AsyncCurl] set_params_for_callback - Warning: (0x9bc3778) finished with result code (-3) - (SSL certificate problem: unable to get issuer certificate)<BR />[iked1 13483 4066513344]@Hostname[11 Nov 10:36:59][AU] DynamicIDSession::setState new_state -103 client_code 60 server_code 0 log_msg SSL certificate problem: unable to get issuer certificate<BR />[iked1 13483 4066513344]@Hostname[11 Nov 10:36:59][AU] dynamic_id_manager_callback(au=9ba9728): ePRIVATE_DID_SENDING_ERROR <BR />[iked1 13483 4066513344]@Hostname[11 Nov 10:36:59][CPSC] cpsc_get_msg_by_id: Cache HIT for CPSC_DID_SENDING_ERROR</PRE> <P><SPAN>And also <U><STRONG>all</STRONG></U> the other symptoms that are given in <A href="https://support.checkpoint.com/results/sk/sk182705" target="_self">sk182705</A>. But somehow the provided solution of adding the certificate on SmartDashboard doesn’t resolve the issue.</SPAN></P> <P><SPAN>We also tried running $CVPNDIR/bin/rehash_ca_bundle after placing the certificate in $FWDIR/database/ as specified in the <A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Content/Topics-MABG/DynamicID.htm?Highlight=dynamicid" target="_self">Mobile Access Admin Guide</A>&nbsp;(bottom of the page), to no avail.</SPAN></P> <P><SPAN>We have temporarily did a workaround of replacing the "<FONT face="courier new,courier">SmsWebClientProcArgs</FONT>" value with <FONT face="courier new,courier">("-k")</FONT> in the <FONT face="courier new,courier">$CVPNDIR/conf/cvpnd.C</FONT> file so that it doesn’t check for the certificate. To whomever who’s not familiar with it, the original value was <FONT face="courier new,courier">(“--capath $CVPNDIR/var/ssl/ca-bundle/”)</FONT>, which means that the connections with the SMS provider need to be cert checked. Although this is a workaround, using <FONT face="courier new,courier">-k</FONT> to ignore certificate verification is not good practice, so we want to resolve it.</SPAN></P> <P><SPAN>We already have double checked all the settings and the SMS provider info syntax on SmartConsole. Plus, everything works as expected in the lab.</SPAN></P> <P><SPAN>Can anybody point me towards where I’m obviously not looking?</SPAN></P> <P><SPAN>Cheers, Kamil</SPAN></P> Wed, 12 Nov 2025 10:44:26 GMT kamilazat 2025-11-12T10:44:26Z https://community.checkpoint.com/t5/Mobile/DynamicID-with-SMS-OTP/m-p/262610#M1313 <P><SPAN>Hi everyone!</SPAN></P> <P><SPAN>We have an issue with DynamicID and SMS provider certificates with the error message "<STRONG>DynamicID sending failure. To retry, please type r and select Submit</STRONG>". Here’s the setup:</SPAN></P> <UL> <LI><SPAN>R81.20 JHF Take 118</SPAN></LI> <LI><SPAN>Cluster</SPAN></LI> <LI><SPAN>Mobile Access with DynamicID + SMS OTP (user information like phone numbers are on CP database, not LDAP)</SPAN></LI> </UL> <P><SPAN>We have the same setup both on prod and in a test lab. The configs are exactly the same. The test lab is working but the prod seems to have an issue with certificates.</SPAN></P> <P><SPAN>In iked1.log file we see these lines:</SPAN></P> <PRE>[iked1 13483 4066513344]@Hostname[11 Nov 10:36:59][AsyncCurl] set_params_for_callback - Warning: (0x9bc3778) finished with result code (-3) - (SSL certificate problem: unable to get issuer certificate)<BR />[iked1 13483 4066513344]@Hostname[11 Nov 10:36:59][AU] DynamicIDSession::setState new_state -103 client_code 60 server_code 0 log_msg SSL certificate problem: unable to get issuer certificate<BR />[iked1 13483 4066513344]@Hostname[11 Nov 10:36:59][AU] dynamic_id_manager_callback(au=9ba9728): ePRIVATE_DID_SENDING_ERROR <BR />[iked1 13483 4066513344]@Hostname[11 Nov 10:36:59][CPSC] cpsc_get_msg_by_id: Cache HIT for CPSC_DID_SENDING_ERROR</PRE> <P><SPAN>And also <U><STRONG>all</STRONG></U> the other symptoms that are given in <A href="https://support.checkpoint.com/results/sk/sk182705" target="_self">sk182705</A>. But somehow the provided solution of adding the certificate on SmartDashboard doesn’t resolve the issue.</SPAN></P> <P><SPAN>We also tried running $CVPNDIR/bin/rehash_ca_bundle after placing the certificate in $FWDIR/database/ as specified in the <A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Content/Topics-MABG/DynamicID.htm?Highlight=dynamicid" target="_self">Mobile Access Admin Guide</A>&nbsp;(bottom of the page), to no avail.</SPAN></P> <P><SPAN>We have temporarily did a workaround of replacing the "<FONT face="courier new,courier">SmsWebClientProcArgs</FONT>" value with <FONT face="courier new,courier">("-k")</FONT> in the <FONT face="courier new,courier">$CVPNDIR/conf/cvpnd.C</FONT> file so that it doesn’t check for the certificate. To whomever who’s not familiar with it, the original value was <FONT face="courier new,courier">(“--capath $CVPNDIR/var/ssl/ca-bundle/”)</FONT>, which means that the connections with the SMS provider need to be cert checked. Although this is a workaround, using <FONT face="courier new,courier">-k</FONT> to ignore certificate verification is not good practice, so we want to resolve it.</SPAN></P> <P><SPAN>We already have double checked all the settings and the SMS provider info syntax on SmartConsole. Plus, everything works as expected in the lab.</SPAN></P> <P><SPAN>Can anybody point me towards where I’m obviously not looking?</SPAN></P> <P><SPAN>Cheers, Kamil</SPAN></P> Wed, 12 Nov 2025 10:44:26 GMT https://community.checkpoint.com/t5/Mobile/DynamicID-with-SMS-OTP/m-p/262610#M1313 kamilazat 2025-11-12T10:44:26Z https://community.checkpoint.com/t5/Mobile/DynamicID-with-SMS-OTP/m-p/262638#M1314 <P>Hi kamilazat!</P><P>Maybe the sk data can help you, but I can't confirm it -&nbsp;<A href="https://support.checkpoint.com/results/sk/sk111630" target="_self">sk111630</A>&nbsp;and&nbsp;<A href="https://support.checkpoint.com/results/sk/sk121101" target="_self">sk121101</A></P><P>&nbsp;</P> Wed, 12 Nov 2025 14:05:33 GMT https://community.checkpoint.com/t5/Mobile/DynamicID-with-SMS-OTP/m-p/262638#M1314 ShemHunter 2025-11-12T14:05:33Z https://community.checkpoint.com/t5/Mobile/DynamicID-with-SMS-OTP/m-p/262643#M1315 <P>Well that doesn't really help me because once we changed the&nbsp;<SPAN>SmsWebClientProcArgs value to -k it starts working. Maybe we should change&nbsp;--capath from&nbsp;$CVPNDIR/var/ssl/ca-bundle/ to&nbsp;$FWDIR/database/ but I believe it's dangerous.</SPAN></P> <P>&nbsp;</P> Wed, 12 Nov 2025 14:21:25 GMT https://community.checkpoint.com/t5/Mobile/DynamicID-with-SMS-OTP/m-p/262643#M1315 kamilazat 2025-11-12T14:21:25Z