This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Getting "Peer's Certificate issuer is not recognized" error while making an API call

Posted on 04-13-2016 02:31 AM
adevegowda
Staff
Reply posted on --/--/---- --:-- AM

When I make the API call using the curl command, I am seeing the following error:

* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.

Can you please suggest what can I do to resolve this issue ?

Solved Solved
0 3 84.6K
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
adevegowda
Staff
Reply posted on --/--/---- --:-- AM

Investigating this issue, I found that this error was thrown because the certificates in the chain were not uploaded in the proper order to the Keystore.

As explained in the link,

If you have a certificate chain, and want to use that chain in a keystore or truststore, then you can combine all of the certs into a single PEM file. The certs have to be in order and the last cert must be a root certificate or an intermediate cert signed by a root certificate as shown below:

Your Primary SSL Certificate

Intermediate Certificate

Root Certificate or Intermediate Certificate signed by a root certificate

In addition, we should also ensure the below:

  • Issuer of the Intermediate certificate should be same as the Subject of the Primary Certificate
  • Issuer of the next Intermediate/Root certificate should be same as the Subject of the first Intermediate Certificate
  • and this continues until the last cert

Note: There can be multiple intermediate certificates in the certificate chain.

In this case, the Keystore had incorrect order of certificates as shown below:

Your Primary SSL Certificate

Intermediate Certificate 1

Root Certificate

Intermediate Certificate 2

This basically resulted in a mismatch. That is, the Issuer of Intermediate Certificate 1 did not match with the Subject of the Root Certificate, so we got the error "Peer's Certificate issuer is not recognized."

Re-uploading the certificate chain in the proper order (shown below) to the Keystore fixed the issue.

Your Primary SSL Certificate

Intermediate Certificate 1

Intermediate Certificate 2

Root Certificate

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
gargi_talukdar
New Member
Reply posted on --/--/---- --:-- AM

Hi,

You can check this post with similar discussion.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
adevegowda
Staff
Reply posted on --/--/---- --:-- AM

Investigating this issue, I found that this error was thrown because the certificates in the chain were not uploaded in the proper order to the Keystore.

As explained in the link,

If you have a certificate chain, and want to use that chain in a keystore or truststore, then you can combine all of the certs into a single PEM file. The certs have to be in order and the last cert must be a root certificate or an intermediate cert signed by a root certificate as shown below:

Your Primary SSL Certificate

Intermediate Certificate

Root Certificate or Intermediate Certificate signed by a root certificate

In addition, we should also ensure the below:

  • Issuer of the Intermediate certificate should be same as the Subject of the Primary Certificate
  • Issuer of the next Intermediate/Root certificate should be same as the Subject of the first Intermediate Certificate
  • and this continues until the last cert

Note: There can be multiple intermediate certificates in the certificate chain.

In this case, the Keystore had incorrect order of certificates as shown below:

Your Primary SSL Certificate

Intermediate Certificate 1

Root Certificate

Intermediate Certificate 2

This basically resulted in a mismatch. That is, the Issuer of Intermediate Certificate 1 did not match with the Subject of the Root Certificate, so we got the error "Peer's Certificate issuer is not recognized."

Re-uploading the certificate chain in the proper order (shown below) to the Keystore fixed the issue.

Your Primary SSL Certificate

Intermediate Certificate 1

Intermediate Certificate 2

Root Certificate
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
gaurav_bhandari
New Member
Reply posted on --/--/---- --:-- AM

@AMAR DEVEGOWDA

Hi Amar,

Normally, for 2way ssl, I first test the connectivity using the CURL call,

curl "<tareget URL>" --cert ./<KEYSTORE PUBLIC CERT> --key <PRIVATE KEY> --cacert <Truststore cert> -v

Also, to check if the certs are added at the target end, you can execute the below command

openssl s_client -showcerts -connect abcde.com:<port>

I hope this information helps

Jump to Solution
0 Likes