We are receiving the following alert from various checkpoints in Cloud Monitor:
"SSL certificate problem: unable to get local issuer certificate (Peer certificate cannot be authenticated with given CA certificates)"
We began updating our Monitoring stations with an update list of trusted certificate authorities. As a result, customers may start getting the error because their certificate issuer is no longer trusted by ASM and this is a legitimate error.
Technical details - Debian recently updated their packages to add and remove various certificate authorities. In this update the following certificate authorities were removed:
- "A-Trust-nQual-03"
- "America Online Root Certification Authority 1"
- "America Online Root Certification Authority 2"
- "Buypass Class 3 CA 1"
- "ComSign Secured CA"
- "Digital Signature Trust Co. Global CA 1"
- "Digital Signature Trust Co. Global CA 3"
- "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
- "GTE CyberTrust Global Root"
- "SG TRUST SERVICES RACINE"
- "TC TrustCenter Class 2 CA II"
- "TC TrustCenter Universal CA I"
- "Thawte Premium Server CA"
- "Thawte Server CA"
- "TURKTRUST Certificate Services Provider Root 1"
- "TURKTRUST Certificate Services Provider Root 2"
- "UTN DATACorp SGC Root CA"
- "Verisign Class 4 Public Primary Certification Authority - G3"
While there is not a case-by-case breakdown, many of these are 1024-bit RSA Keys that most web browsers were dropped, keys that were exposed and are now vulnerable to spoofing, or no longer meet accepted standards.
Resolution:
Update the monitored station with a trusted certificate.
Workaround:
Alternatively if want to keep the certificate for some time and still monitor do the following:
- Change the monitor type from http to https in the URL settings
- Make sure the advanced option “Verify certificate” is not checked.