HTTPS Monitor fails when run from San Francisco, but works from other locations - (9260) SSL certificate problem: self signed certificate in certificate chain
Article ID: 225517
Updated On:
Products
CA App Synthetic Monitor
Issue/Introduction
HTTPS monitor fails with (9260) SSL certificate problem: self signed certificate in certificate chain (Peer certificate cannot be authenticated with given CA certificates) when run from San Francisco but not other locations.
Environment
Release : SAAS
Component : CA APP SYNTHETIC MONITOR (WATCHMOUSE)
Cause
The problem is that the site has 2 possible certification paths - one is valid one is not. This can be checked this using public website ssllabs.com/ssltest
The output shows the following
|
Path #1: Trusted
|
||
| 1 | Sent by server | server.mydomain.com Fingerprint SHA256: fb9246d694c8280e38ff4514df66e97dfad93c8826c3059642c797b98f909465 Pin SHA256: PiM1i4DeUPbLlJnaoAbeZqeWtBO616nKJw2+EfzPToU= RSA 2048 bits (e 65537) / SHA256withRSA |
| 2 | Sent by server | COMODO RSA Organization Validation Secure Server CA Fingerprint SHA256: 111006378afbe8e99bb02ba87390ca429fca2773f74d7f7eb5744f5ddf68014b Pin SHA256: EgNpQklEUNXn9Nl6RoIOC532j1g5+EFw0ZpLxxJq9Ms= RSA 2048 bits (e 65537) / SHA384withRSA |
| 3 | Sent by server In trust store |
COMODO RSA Certification Authority Self-signed Fingerprint SHA256: 52f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b40234 Pin SHA256: grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME= RSA 4096 bits (e 65537) / SHA384withRSA |
|
Path #2: Trusted
|
||
| 1 | Sent by server | server.mydomain.com Fingerprint SHA256: fb9246d694c8280e38ff4514df66e97dfad93c8826c3059642c797b98f909465 Pin SHA256: PiM1i4DeUPbLlJnaoAbeZqeWtBO616nKJw2+EfzPToU= RSA 2048 bits (e 65537) / SHA256withRSA |
| 2 | Sent by server | COMODO RSA Organization Validation Secure Server CA Fingerprint SHA256: 111006378afbe8e99bb02ba87390ca429fca2773f74d7f7eb5744f5ddf68014b Pin SHA256: EgNpQklEUNXn9Nl6RoIOC532j1g5+EFw0ZpLxxJq9Ms= RSA 2048 bits (e 65537) / SHA384withRSA |
| 3 | Extra download | COMODO RSA Certification Authority Fingerprint SHA256: 38392f17ce7b682c198d29c6e71d2740964a2074c8d2558e6cff64c27823f129 Pin SHA256: grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME= RSA 4096 bits (e 65537) / SHA384withRSA |
| 4 | In trust store | AAA Certificate Services Self-signed Fingerprint SHA256: d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef4 Pin SHA256: vRU+17BDT2iGsXvOi76E7TQMcTLXAqj0+jGPdW7L1vM= RSA 2048 bits (e 65537) / SHA1withRSA Weak or insecure signature, but no impact on root certificate |
The problem here is that one of the certification paths required an additional download because the intermediate certificate is missing,. This can be handled by browsers but the HTTPS Monitor is not able to do the extra download and so if that path is chosen it will fail.
Resolution
There are many factors that could affect which certificate path is used for a connection and determining why a particular one is used would be a resource intensive activity and ultimately would not solve the problem
The solution is that the certificate path needs to be corrected to include the missing certificate.
Attachments
Feedback
Yes
No
Powered by
