search cancel

Why I am receiving this error?: "SSL certificate problem: unable to get local issuer certificate (Peer certificate cannot be authenticated with given CA certificates)"

book

Article ID: 4256

calendar_today

Updated On:

Products

CA App Synthetic Monitor

Issue/Introduction

  We are receiving the following alert from various checkpoints in Cloud Monitor:
"SSL certificate problem: unable to get local issuer certificate (Peer certificate cannot be authenticated with given CA certificates)"

Environment

Release: APMCMB99000-8.3-App Synthetic Monitor-Basic Option
Component:

Cause

We began updating our Monitoring stations with an update list of trusted certificate authorities. As a result, customers may start getting the error because their certificate issuer is no longer trusted by ASM and this is a legitimate error.

  Technical details - Debian recently updated their packages to add and remove various certificate authorities. In this update the following certificate authorities were removed:

     - "A-Trust-nQual-03"
     - "America Online Root Certification Authority 1"
     - "America Online Root Certification Authority 2"
     - "Buypass Class 3 CA 1"
     - "ComSign Secured CA"
     - "Digital Signature Trust Co. Global CA 1"
     - "Digital Signature Trust Co. Global CA 3"
     - "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
     - "GTE CyberTrust Global Root"
     - "SG TRUST SERVICES RACINE"
     - "TC TrustCenter Class 2 CA II"
     - "TC TrustCenter Universal CA I"
     - "Thawte Premium Server CA"
     - "Thawte Server CA"
     - "TURKTRUST Certificate Services Provider Root 1"
     - "TURKTRUST Certificate Services Provider Root 2"
     - "UTN DATACorp SGC Root CA"
     - "Verisign Class 4 Public Primary Certification Authority - G3"


  While there is not a case-by-case breakdown, many of these are 1024-bit RSA Keys that most web browsers were dropped, keys that were exposed and are now vulnerable to spoofing, or no longer meet accepted standards.

Resolution

Resolution:
  Update the monitored station with a trusted certificate.

Workaround: 
  Alternatively if want to keep the certificate for some time and still monitor do the following:
  - Change the monitor type from http to https in the URL settings
  - Make sure the advanced option “Verify certificate” is not checked.

Additional Information

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806239