Webhook: Peer certificate cannot be authenticated with known CA certificates

Anonymous · ‎12-19-2013

Hi,

I have a webhook that sometimes returns this error:

"Peer certificate cannot be authenticated with known CA certificates"

Anyone know what the solution is to this error?

Thanks!
Scott

Anonymous · ‎03-11-2014

Hi,

Just chiming back in on this. I changed the webhook from an XML POST to a JSON GET and it's worked consistently without error. If anyone is using a webhook, I'd advise using JSON first - it seems more stable and more responsive.

Thanks,
Scott

Anonymous · ‎02-17-2014

Hello again,
I'd like to post here a comment for anyone with similiar problem, after three weeks of discussing and waiting for response from support we've got an information that the Company root Certificate can not be installed, so we will create publicly trusted cert.

Regards,
Vaclav.

Anonymous · ‎02-06-2014

Hello Scott,
I'm glad it helped to find a reason why it does not work. I've been successfull with my problem as well, Marketo by default trusts only peers with certificate authorized by some big CA as Symantec, Comodo etc. our certificate was signed only by our company root certificate.
Even though that my question about this was not answered here I've turned on support and they said that they will install our root certificate on our machine, so now I'm waiting for that. I hope that this will help to anyone who'll get to the same trouble as I.

Thanks to you all,
V.

Anonymous · ‎02-05-2014

Hi Vaclav,

Thanks for the info - this really helped to narrow down the problem. It looks like our API runs through Amazon Web Services and that can change IPs every once in a while - that's why it works in most cases (where the IPs are currently accepted) but fails in some cases (where AWS has added new IPs and runs the call through it).

Thanks!
Scott

Anonymous · ‎01-31-2014

Hi Scott,

yes that's what I meant. The solution to this might be the wildcard certificate, see for example here some information:
http://stackoverflow.com/questions/1822268/how-do-i-create-my-own-wildcard-certificate-on-linux

On the other hand if you run some cloud service behind that balancer you does not necessarily need to have hostnames on those servers, so there are only Ip adresses which I believe can be set to Common Name as well, and maybe with the wildcard char * too, but that's just a guess...
One more link with some good information:
http://info.ssl.com/Article.aspx?id=10048

I hope this will help,

regards,
Vaclav

Anonymous · ‎01-30-2014

Hi Vaclav,

Thanks for the response. It sounds like you're saying the IP addresses are covered by the certificate but the host names, in some cases, are not. Is that accurate? If that's the case, do you know what I should do to fix the situation? Get more host names added to our certificate?

Just curious - we're getting this webhook installed in client environments so I'd like to be sure it will work consistently.

Thanks,
Scott

Anonymous · ‎01-30-2014

@ Scott:
You've mentioned that you get that error only sometimes and you have mentioned that you have a balancer which is then forwarding the request to other server. The certificate may contain Ip addresses which are allowed and host names as well so if you for example added some computer with new Ip address then the host is not covered by that certificate.

I hope I've explained that correctly, my knowledge of this topic is not so deep...
Vaclav

Anonymous · ‎01-30-2014

Hello everyone,
I'd like to ask about this issue as well. We'd like to use secure webhooks and so we've created certificate signed by our Company, but this root certificate is not trusted by Marketo (it seems so). Is it possible to ask support to install this root certicate for our instance ? Or what shall we do?

Thank you for your responses.
Regards,
Vaclav

Anonymous · ‎12-30-2013

Hi Raj,

Thanks for the quick responses. Just heard back from our tech team on this and here's their response:

The SSL certificate is already installed on the load balancer that sits in front of the two API servers. I don’t think there’s anything else for us to do with the cert. It is a valid cert and is used in several other places within our infrastructure without issue.

Can they update their Root Certificate Authority (CA) list on their server? Maybe the cert chain via GoDaddy is using newer intermediate or root CAs that are not in their servers list of CAs…

That's his suggestion - is that something you guys can do?

Thanks!
Scott

Anonymous · ‎12-19-2013

The cert has to be uploaded to the keystore of your server, not ours.

Anonymous · ‎12-19-2013

Hi,

I spoke with my tech team and we have a "wild card" certificate that they're saying java hates. Which may explain why the webhook works sometimes and throws that error other times. They said in the past they've had to have the other system upload our certificate for it to work consistently. Is that something you guys could do? Let me know, happy to get you our certificate.

Thanks,
Scott

Kenny_Elkington · ‎12-19-2013

Hey Scott,

This error is typically the result of the SSL certificate for the domain or subdomain that you're submitting to not being tied to a trusted root certificate. You can find details about implementing this here: https://support.comodo.com/index.php?_m=knowledgebase&_a=view&parentcategoryid=95&pcid=1&nav=0,96,1

Anonymous · ‎12-19-2013

Looks like you are making a WH call to a secure endpoint (ie, an https URL). Does the secure endpoint have a valid SSL cert?