Cloud monitors returning SSL errors...
search cancel

Cloud monitors returning SSL errors...

book

Article ID: 102953

calendar_today

Updated On:

Products

CA App Synthetic Monitor

Issue/Introduction

My cloud monitors are returning SSL certificate error:
(9260) SSL certificate problem: unable to get local issuer certificate (Peer certificate cannot be authenticated with given CA certificates)

But it works fine in the browser.

Environment

Release: ASM 10.x

Cause

Intermediate Certificate is missing.  The reason the website works when you put it into a browser is that the browser is only checking for the certificate only, not the chain.  ASM checks the entire certificate chain, end to end, and if any part of that chain is missing or expired, ASM will alert you.

Resolution

While reviewing the certificate chain, for the URL being monitored, we found that the Intermediate Certificate was missing.

This caused the error (9260) SSL certificate problem: unable to get local issuer certificate (Peer certificate cannot be authenticated with given CA certificates) to show up.

To resolve this, update the site to provide the Intermediate Certificate.

There are different ways to install an Intermediate Certificate and it all depends on on your Certificate Authority.  A few examples would be for Microsoft IIS and Exchange - https://www.kinamo.be/en/support/faq/microsoft-iis-install-intermediate-ssl-certificate.  For pfx - https://rootsecurity.nl/2013/07/21/create-a-pfx-file-containing-the-intermediate-ca-certificate-using-openssl-on-windows/

For a more detailed explanation on what an Intermediate Certificate is https://knowledge.digicert.com/solution/SO16297.html

Note: You can also use an online SSL Checker to verify your certificate chain.



 

Additional Information

You can also disable "Verify certificate" in the Advanced settings of the Monitor.  Note: If disabled, ASM will not be able to warn you if there is an issue with your certificate chain or when the certificate is going to expire.