Wiki Admin

SSL Peer Certificate or SSH Remote Key Was Not OK

Export as HTML Export as PDF Export as DOCX
Edit

Documentation: SSL Peer Certificate or SSH Remote Key Was Not OK

SSL Peer Certificate or SSH Remote Key Was Not OK

Issue

The following error can appear when a connection attempt fails:

SSL peer certificate or SSH remote key was not OK. Underlying error: unable to get local issuer certificate

Example full error: F_JG4E05: Could not get the Azure Token. Reason: Failed to GetToken. Error: GetToken(): Fail to get a new connection for: https://login.microsoftonline.com. SSL peer certificate or SSH remote key was not OK. Underlying error: unable to get local issuer certificate

Environment

  • DSS 6

Resolution

Using a Proxy with SSL Inspection

If your environment uses a proxy that performs SSL inspection (decrypting SSL traffic and re-signing it with a custom CA), DSS must be configured to trust that custom CA:

  1. Obtain the custom CA certificate used by the proxy to sign SSL traffic (for example, proxy-ca-cert.crt).

  2. Create the path to the custom certificate bundle that DSS will use and copy the default CA bundle provided with DSS into it:

    mkdir -p $DSS_CONFIG/etc/cert
cp $DSS_HOME/etc/cert/ca-bundle.crt $DSS_CONFIG/etc/cert/ca-bundle.crt

  3. Append the custom CA certificate to the copied CA bundle:

    cat proxy-ca-cert.crt >> $DSS_CONFIG/etc/cert/ca-bundle.crt

DSS first checks for the existence of the custom certificate bundle in $DSS_CONFIG/etc/cert/ca-bundle.crt and uses it if present; otherwise, it falls back to the default bundle in $DSS_HOME/etc/cert/ca-bundle.crt.

Outdated Certificates in DSS_CONFIG

If $DSS_CONFIG/etc/cert/ca-bundle.crt already exists and you are not using a proxy, this error may occur because the certificates in $DSS_CONFIG are outdated.