Why I am receiving this error?: "SSL certificate problem: unable to get local issuer certificate (Peer certificate cannot be authenticated with given CA certificates)"

Document ID:  TEC1021188
Last Modified Date:  08/02/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA App Synthetic Monitor

Releases

  • CA App Synthetic Monitor:Release:8.3
  • CA App Synthetic Monitor:Release:8.2

Components

  • CA APM CLOUD MONITOR (WATCHMOUSE):WMAPP
  • APM CLOUD MONITOR ENVIRONMENTAL:WMENV
Issue:

  We are receiving the following alert from various checkpoints in Cloud Monitor:
"SSL certificate problem: unable to get local issuer certificate (Peer certificate cannot be authenticated with given CA certificates)"

Cause:

We began updating our Monitoring stations with an update list of trusted certificate authorities. As a result, customers may start getting the error because their certificate issuer is no longer trusted by ASM and this is a legitimate error.

  Technical details - Debian recently updated their packages to add and remove various certificate authorities. In this update the following certificate authorities were removed:

     - "A-Trust-nQual-03"
     - "America Online Root Certification Authority 1"
     - "America Online Root Certification Authority 2"
     - "Buypass Class 3 CA 1"
     - "ComSign Secured CA"
     - "Digital Signature Trust Co. Global CA 1"
     - "Digital Signature Trust Co. Global CA 3"
     - "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
     - "GTE CyberTrust Global Root"
     - "SG TRUST SERVICES RACINE"
     - "TC TrustCenter Class 2 CA II"
     - "TC TrustCenter Universal CA I"
     - "Thawte Premium Server CA"
     - "Thawte Server CA"
     - "TURKTRUST Certificate Services Provider Root 1"
     - "TURKTRUST Certificate Services Provider Root 2"
     - "UTN DATACorp SGC Root CA"
     - "Verisign Class 4 Public Primary Certification Authority - G3"


  While there is not a case-by-case breakdown, many of these are 1024-bit RSA Keys that most web browsers were dropped, keys that were exposed and are now vulnerable to spoofing, or no longer meet accepted standards.

Resolution:

Resolution:
  Update the monitored station with a trusted certificate.

Workaround: 
  Alternatively if want to keep the certificate for some time and still monitor do the following:
  - Change the monitor type from http to https in the URL settings
  - Make sure the advanced option “Verify certificate” is not checked.

Additional Information:

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >