Self-signed cert errors

security
events-api

(Dharma Indurthy) #1

Hopefully you guys are aware, but we’re hitting self-signed cert errors when sending to the events API.

{ [Error: self signed certificate] code: 'DEPTH_ZERO_SELF_SIGNED_CERT' }

We’re posting to https://events.pagerduty.com/v2/enqueue

Looks inconsistent. I can see it with a curl occasionally also:

$ curl https://events.pagerduty.com
$ curl https://events.pagerduty.com
$ curl https://events.pagerduty.com
$ curl https://events.pagerduty.com
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

(Alex Maier) #2

It seems like you are already working with our Support on this issue, but for the benefit of the wider community, let me post the solution here.

Do you have GeoTrust’s root CA certificate trusted on your system? It is true that the certificate is self-signed but it is also signed by a certificate authority.

If GeoTrust’s certificate is trusted, and you connect with OpenSSL using openssl s_client -host events.pagerduty.com -port 443, you should see certificate details in the output that look like this:

depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=19:self signed certificate in certificate chain
verify return:0

Certificate chain
 0 s:/OU=GT12858685/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=*.pagerduty.com
   i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
 1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

Please check to see if that is the case, or if openssl exits with errors. GeoTrust’s root certificates can be downloaded here:

https://www.geotrust.com/resources/root-certificates/


(system) #3