When I make the API call using the curl command, I am seeing the following error:
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER) * Peer's Certificate issuer is not recognized. * Closing connection 0 curl: (60) Peer's Certificate issuer is not recognized.
Can you please suggest what can I do to resolve this issue ?
Solved! Go to Solution.
Investigating this issue, I found that this error was thrown because the certificates in the chain were not uploaded in the proper order to the Keystore.
As explained in the link,
If you have a certificate chain, and want to use that chain in a keystore or truststore, then you can combine all of the certs into a single PEM file. The certs have to be in order and the last cert must be a root certificate or an intermediate cert signed by a root certificate as shown below:
Your Primary SSL Certificate Intermediate Certificate Root Certificate or Intermediate Certificate signed by a root certificate
In addition, we should also ensure the below:
Note: There can be multiple intermediate certificates in the certificate chain.
In this case, the Keystore had incorrect order of certificates as shown below:
Your Primary SSL Certificate Intermediate Certificate 1 Root Certificate Intermediate Certificate 2
This basically resulted in a mismatch. That is, the Issuer of Intermediate Certificate 1 did not match with the Subject of the Root Certificate, so we got the error "Peer's Certificate issuer is not recognized."
Re-uploading the certificate chain in the proper order (shown below) to the Keystore fixed the issue.
Your Primary SSL Certificate Intermediate Certificate 1 Intermediate Certificate 2 Root Certificate
Hi,
You can check this post with similar discussion.
Investigating this issue, I found that this error was thrown because the certificates in the chain were not uploaded in the proper order to the Keystore.
As explained in the link,
If you have a certificate chain, and want to use that chain in a keystore or truststore, then you can combine all of the certs into a single PEM file. The certs have to be in order and the last cert must be a root certificate or an intermediate cert signed by a root certificate as shown below:
Your Primary SSL Certificate Intermediate Certificate Root Certificate or Intermediate Certificate signed by a root certificate
In addition, we should also ensure the below:
Note: There can be multiple intermediate certificates in the certificate chain.
In this case, the Keystore had incorrect order of certificates as shown below:
Your Primary SSL Certificate Intermediate Certificate 1 Root Certificate Intermediate Certificate 2
This basically resulted in a mismatch. That is, the Issuer of Intermediate Certificate 1 did not match with the Subject of the Root Certificate, so we got the error "Peer's Certificate issuer is not recognized."
Re-uploading the certificate chain in the proper order (shown below) to the Keystore fixed the issue.
Your Primary SSL Certificate Intermediate Certificate 1 Intermediate Certificate 2 Root Certificate
Hi Amar,
Normally, for 2way ssl, I first test the connectivity using the CURL call,
curl "<tareget URL>" --cert ./<KEYSTORE PUBLIC CERT> --key <PRIVATE KEY> --cacert <Truststore cert> -v
Also, to check if the certs are added at the target end, you can execute the below command
openssl s_client -showcerts -connect abcde.com:<port>
I hope this information helps
User | Count |
---|---|
5 | |
2 | |
2 | |
1 | |
1 |