{ Community }
  • Academy
  • Docs
  • Developers
  • Resources
    • Community Articles
    • Apigee on GitHub
    • Code Samples
    • Videos & eBooks
    • Accelerator Methodology
  • Support
  • Ask a Question
  • Spaces
    • Product Announcements
    • General
    • Edge/API Management
    • Developer Portal (Drupal-based)
    • Developer Portal (Integrated)
    • API Design
    • APIM on Istio
    • Extensions
    • Business of APIs
    • Academy/Certification
    • Adapter for Envoy
    • Analytics
    • Events
    • Hybrid
    • Integration (AWS, PCF, Etc.)
    • Microgateway
    • Monetization
    • Private Cloud Deployment
    • 日本語コミュニティ
    • Insights
    • IoT Apigee Link
    • BaaS/Usergrid
    • BaaS Transition/Migration
    • Apigee-127
    • New Customers
    • Topics
    • Questions
    • Articles
    • Ideas
    • Leaderboard
    • Badges
  • Log in
  • Sign up

Get answers, ideas, and support from the Apigee Community

  • Home /
  • Edge/API Management /
avatar image
0
Question by AMAR DEVEGOWDA · Apr 13, 2016 at 09:31 AM · 77k Views sslcertificate

Getting "Peer's Certificate issuer is not recognized" error while making an API call

When I make the API call using the curl command, I am seeing the following error:

* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.

Can you please suggest what can I do to resolve this issue ?

Comment
Add comment
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Close

3 Answers

  • Sort: 
avatar image
0
Best Answer

Answer by AMAR DEVEGOWDA · Apr 13, 2016 at 11:05 AM

Investigating this issue, I found that this error was thrown because the certificates in the chain were not uploaded in the proper order to the Keystore.

As explained in the link,

If you have a certificate chain, and want to use that chain in a keystore or truststore, then you can combine all of the certs into a single PEM file. The certs have to be in order and the last cert must be a root certificate or an intermediate cert signed by a root certificate as shown below:

Your Primary SSL Certificate

Intermediate Certificate

Root Certificate or Intermediate Certificate signed by a root certificate

In addition, we should also ensure the below:

  • Issuer of the Intermediate certificate should be same as the Subject of the Primary Certificate
  • Issuer of the next Intermediate/Root certificate should be same as the Subject of the first Intermediate Certificate
  • and this continues until the last cert

Note: There can be multiple intermediate certificates in the certificate chain.

In this case, the Keystore had incorrect order of certificates as shown below:

Your Primary SSL Certificate

Intermediate Certificate 1

Root Certificate

Intermediate Certificate 2

This basically resulted in a mismatch. That is, the Issuer of Intermediate Certificate 1 did not match with the Subject of the Root Certificate, so we got the error "Peer's Certificate issuer is not recognized."

Re-uploading the certificate chain in the proper order (shown below) to the Keystore fixed the issue.

Your Primary SSL Certificate

Intermediate Certificate 1

Intermediate Certificate 2

Root Certificate
Comment
Add comment · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image
0

Answer by GargiTalukdar   · Apr 13, 2016 at 10:07 AM

Hi,

You can check this post with similar discussion.

Comment
Add comment · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image
0

Answer by gbhandari   · Apr 14, 2016 at 08:04 AM

@AMAR DEVEGOWDA

Hi Amar,

Normally, for 2way ssl, I first test the connectivity using the CURL call,

curl "<tareget URL>" --cert ./<KEYSTORE PUBLIC CERT> --key <PRIVATE KEY> --cacert <Truststore cert> -v

Also, to check if the certs are added at the target end, you can execute the below command

openssl s_client -showcerts -connect abcde.com:

I hope this information helps

Comment
Add comment · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Follow this Question

Answers Answers and Comments

33 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

How can i add cert to trust store of Apigee UI? 2 Answers

Configuring Edge UI TLS 2 Answers

Error while installing sample proxies via GitHub in Edge APIGEE 1 Answer

Target Servers Failing 7 Answers

Cannot proxify an AWS API Gateway endpoint 2 Answers

  • Products
    • Edge - APIs
    • Insights - Big Data
    • Plans
  • Developers
    • Overview
    • Documentation
  • Resources
    • Overview
    • Blog
    • Apigee Institute
    • Academy
    • Documentation
  • Company
    • Overview
    • Press
    • Customers
    • Partners
    • Team
    • Events
    • Careers
    • Contact Us
  • Support
    • Support Overview
    • Documentation
    • Status
    • Edge Support Portal
    • Privacy Policy
    • Terms & Conditions
© 2021 Apigee Corp. All rights reserved. - Apigee Community Terms of Use - Powered by AnswerHub
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Post an idea
  • Spaces
  • Product Announcements
  • General
  • Edge/API Management
  • Developer Portal (Drupal-based)
  • Developer Portal (Integrated)
  • API Design
  • APIM on Istio
  • Extensions
  • Business of APIs
  • Academy/Certification
  • Adapter for Envoy
  • Analytics
  • Events
  • Hybrid
  • Integration (AWS, PCF, Etc.)
  • Microgateway
  • Monetization
  • Private Cloud Deployment
  • 日本語コミュニティ
  • Insights
  • IoT Apigee Link
  • BaaS/Usergrid
  • BaaS Transition/Migration
  • Apigee-127
  • New Customers
  • Explore
  • Topics
  • Questions
  • Articles
  • Ideas
  • Badges