cert issue

techhadoop

The error “This certificate cannot be verified” typically means that the client system cannot validate the certificate chain. Here are the most common causes and how to fix them:

🔍 Root Causes and Fixes

1. Missing Intermediate or Root CA

  • Cause: The certificate presented by the server is not trusted because the issuing authority (CA) is not in the client’s trusted store.
  • Fix:
    • Ensure the full certificate chain (leaf + intermediate + root) is provided.
    • In web servers or API gateways (like Kong), configure the full chain in the cert file: cat server.crt intermediate.crt > fullchain.crt And use fullchain.crt as your public certificate.

2. Self-Signed Certificate Not Trusted

  • Cause: If it’s a self-signed cert and the CA cert is not installed on the client machine.
  • Fix:
    • Manually install the root CA certificate on the client:
      • Windows: Double-click .crt > Install Certificate > Trusted Root Certification Authorities
      • Linux/macOS: Add to /etc/ssl/certs or Keychain Access respectively

3. Expired or Not Yet Valid Certificate

  • Cause: The system clock is incorrect or the certificate has expired/not yet valid.
  • Fix:
    • Check system date/time on both client and server.
    • Ensure certificate validity dates are current.

4. Incorrect Certificate Usage (e.g., wrong SAN or CN)

  • Cause: The certificate was issued for a different domain/IP.
  • Fix:
    • Check that the certificate’s Subject Alternative Names (SAN) includes the domain/IP being accessed.

5. Corrupted or Improperly Formatted Certificate

  • Cause: The .crt or .cer file is malformed or base64-encoded incorrectly.
  • Fix:
    • Open the cert file and check that it starts and ends with: -----BEGIN CERTIFICATE----- ... base64 ... -----END CERTIFICATE-----

🧪 How to Verify

From the client:

openssl s_client -connect your.domain.com:443 -showcerts
  • This will show the certificate chain; verify whether the chain is complete and trusted.

If you tell me what OS the client is on and whether you’re using a public or private CA, I can give you platform-specific install steps.

Leave a comment