When I make the API call using the curl command, I am seeing the following error:
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER) * Peer's Certificate issuer is not recognized. * Closing connection 0 curl: (60) Peer's Certificate issuer is not recognized.
Can you please suggest what can I do to resolve this issue ?
Answer by AMAR DEVEGOWDA · Apr 13, 2016 at 11:05 AM
Investigating this issue, I found that this error was thrown because the certificates in the chain were not uploaded in the proper order to the Keystore.
As explained in the link,
If you have a certificate chain, and want to use that chain in a keystore or truststore, then you can combine all of the certs into a single PEM file. The certs have to be in order and the last cert must be a root certificate or an intermediate cert signed by a root certificate as shown below:
Your Primary SSL Certificate Intermediate Certificate Root Certificate or Intermediate Certificate signed by a root certificate
In addition, we should also ensure the below:
Note: There can be multiple intermediate certificates in the certificate chain.
In this case, the Keystore had incorrect order of certificates as shown below:
Your Primary SSL Certificate Intermediate Certificate 1 Root Certificate Intermediate Certificate 2
This basically resulted in a mismatch. That is, the Issuer of Intermediate Certificate 1 did not match with the Subject of the Root Certificate, so we got the error "Peer's Certificate issuer is not recognized."
Re-uploading the certificate chain in the proper order (shown below) to the Keystore fixed the issue.
Your Primary SSL Certificate Intermediate Certificate 1 Intermediate Certificate 2 Root Certificate
Answer by GargiTalukdar
·
Apr 13, 2016 at 10:07 AM
Hi,
You can check this post with similar discussion.
Answer by gbhandari
·
Apr 14, 2016 at 08:04 AM
Hi Amar,
Normally, for 2way ssl, I first test the connectivity using the CURL call,
curl "<tareget URL>" --cert ./<KEYSTORE PUBLIC CERT> --key <PRIVATE KEY> --cacert <Truststore cert> -v
Also, to check if the certs are added at the target end, you can execute the below command
openssl s_client -showcerts -connect abcde.com:
I hope this information helps
How can i add cert to trust store of Apigee UI? 2 Answers
Configuring Edge UI TLS 2 Answers
Error while installing sample proxies via GitHub in Edge APIGEE 1 Answer
Target Servers Failing 7 Answers