Peer's cert issuer not recognized when REST through curl

book

Article ID: 193571

calendar_today

Updated On:

Products

CA Automic One Automation CA Automic Operations Manager CA Automic Oracle

Issue/Introduction

After setting up SSL for REST on Automic Workload Automation, when running curl commands, receive the following:

curl: (60) Peer's Certificate issuer is not recognized.

The following steps will help with this error

Cause

More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs).

If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option.

If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL).

If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

Environment

Release : 12.2

Component : AUTOMATION ENGINE

Resolution

1.) Get the DER .cer cert from the web browser

source curl server needs to have the .pem certificate
enter https://host.company.local:8088/ae/api/v1/1234/executions in a web browser (preferably not IE)
Click on the lock for the certificate (enter incorrect creds is fine)

Click on the "Certifcate (Valid)" option

In the Certificate window, choose "Details"

Expand down to the company cert path  *IMPORTANT: Be sure to click on the beginning of the Certification path and then choose view certificate.

Click on "View Certificate"

Go to "Details" tab

Click on "Certification Path" and then "Copy to File..."

Click Next

Choose "DER encoded binary..." and then "Next"

Choose where to save file

Finish export

2.) Add the exported cert to the server where the curl command is being issued from

3.) Convert the format of the cert file file to create a .pem file
/usr/bin/openssl x509 -inform DES -in FILE.cer -out FILE.pem –text

4.) Run a curl command to test a simple job.
/usr/bin/curl --cacert /home/srv-uc4/FILE.pem -u MR_TEST/MR_TEST -X POST -H "Content-Type: application/json" https://host.company.local:8088/ae/api/v1/1234/executions -d "{\"object_name\":\"UC4.J.TESTRUN\"}"

Expected result
{
"run_id" : 1921088
}

Troubleshooting commands:
/usr/bin/curl -v --cacert /home/srv-uc4/FILE.pem https://host.company.local:8088/ae/api/v1/1234/executions
/usr/bin/openssl s_client -showcerts -servername host.company.local -connect host.company.local:8088

Attachments