HTTPS Monitor fails when run from San Francisco, but works from other locations - (9260) SSL certificate problem: self signed certificate in certificate chain

book

Article ID: 225517

calendar_today

Updated On:

Products

CA App Synthetic Monitor

Issue/Introduction

HTTPS monitor fails with (9260) SSL certificate problem: self signed certificate in certificate chain (Peer certificate cannot be authenticated with given CA certificates) when run from San Francisco but not other locations.  

Cause

The problem is that the site has 2 possible certification paths - one is valid one is not. This can be checked this using public website ssllabs.com/ssltest
 
The output shows the following
Path #1: Trusted
 
1 Sent by server server.mydomain.com
Fingerprint SHA256: fb9246d694c8280e38ff4514df66e97dfad93c8826c3059642c797b98f909465
Pin SHA256: PiM1i4DeUPbLlJnaoAbeZqeWtBO616nKJw2+EfzPToU=

RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server COMODO RSA Organization Validation Secure Server CA
Fingerprint SHA256: 111006378afbe8e99bb02ba87390ca429fca2773f74d7f7eb5744f5ddf68014b
Pin SHA256: EgNpQklEUNXn9Nl6RoIOC532j1g5+EFw0ZpLxxJq9Ms=

RSA 2048 bits (e 65537) / SHA384withRSA
3 Sent by server
In trust store
COMODO RSA Certification Authority   Self-signed
Fingerprint SHA256: 52f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b40234
Pin SHA256: grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=

RSA 4096 bits (e 65537) / SHA384withRSA
Path #2: Trusted
 
1 Sent by server server.mydomain.com
Fingerprint SHA256: fb9246d694c8280e38ff4514df66e97dfad93c8826c3059642c797b98f909465
Pin SHA256: PiM1i4DeUPbLlJnaoAbeZqeWtBO616nKJw2+EfzPToU=

RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server COMODO RSA Organization Validation Secure Server CA
Fingerprint SHA256: 111006378afbe8e99bb02ba87390ca429fca2773f74d7f7eb5744f5ddf68014b
Pin SHA256: EgNpQklEUNXn9Nl6RoIOC532j1g5+EFw0ZpLxxJq9Ms=

RSA 2048 bits (e 65537) / SHA384withRSA
3 Extra download COMODO RSA Certification Authority
Fingerprint SHA256: 38392f17ce7b682c198d29c6e71d2740964a2074c8d2558e6cff64c27823f129
Pin SHA256: grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=

RSA 4096 bits (e 65537) / SHA384withRSA
4 In trust store AAA Certificate Services   Self-signed
Fingerprint SHA256: d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef4
Pin SHA256: vRU+17BDT2iGsXvOi76E7TQMcTLXAqj0+jGPdW7L1vM=

RSA 2048 bits (e 65537) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate
The problem here is that one of the certification paths required an additional download because the intermediate certificate is missing,. This can be handled by browsers but the HTTPS Monitor is not able to do the extra download and so if that path is chosen it will fail.

Environment

Release : SAAS

Component : CA APP SYNTHETIC MONITOR (WATCHMOUSE)

Resolution

There are many factors that could affect which certificate path is used for a connection and determining why a particular one is used would be a resource intensive activity and ultimately would not solve the problem

The solution is that the certificate path needs to be corrected to include the missing certificate.

Attachments