Unknown Authority Error Triggered by Connecting to Non-Default $ROLLBAR_API_URL

[msgSend]

The certificate used by a testing endpoint is valid and the CA is in the list of known authorities when manually queried via cURL, but is not accepted by the provider and returns the following error: x509: certificate signed by unknown authority.

[jmcvetta]

@msgSend Please include steps for reproducing the bug when opening an Issue.

[jmcvetta]

From Slack conversation, the non-default URL used was https://api-staging.rollbardev.com/

[jmcvetta]

Example failure:

$ ROLLBAR_API_URL=https://api-staging.rollbardev.com terraform plan
rollbar_team.test_team_0: Refreshing state... [id=704936]

Error: Get "https://api-staging.rollbardev.com/api/1/projects": x509: certificate signed by unknown authority

Error: Get "https://api-staging.rollbardev.com/api/1/team/704936": x509: certificate signed by unknown authority

[jmcvetta]

Certificate fails also fails to verify for me using httpie:

$ http GET https://api-staging.rollbardev.com/api/1/projects

http: error: SSLError: HTTPSConnectionPool(host='api-staging.rollbardev.com', port=443): Max retries exceeded with url: /api/1/projects (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)'))) while doing GET request to URL: https://api-staging.rollbardev.com/api/1/projects

[jmcvetta]

The openssl tool also fails to verify this cert:

$ openssl s_client -connect api-staging.rollbardev.com:443
CONNECTED(00000003)
depth=0 CN = *.rollbardev.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.rollbardev.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:CN = *.rollbardev.com
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGOzCCBSOgAwIBAgIQKahrfJ3Q7c04GDYdJChdIjANBgkqhkiG9w0BAQsFADCB
jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQD
Ey5TZWN0aWdvIFJTQSBEb21haW4gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENB
MB4XDTIwMDExMDAwMDAwMFoXDTIyMDEwOTIzNTk1OVowGzEZMBcGA1UEAwwQKi5y
b2xsYmFyZGV2LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANra
2O4MEFKYp9uVtWufgUbz8hmqs8m2/dE/eMheTrXdBlTen7/NebI24rTC1uTfuB3l
ZS3AqIZTOejZz1w9oiNaLxIRLS2XVmSvNo5+uPTsgkQvlBzPMb4lTO2Ts9tJ1kI7
86X1FS6NvEPoKj1Ep9QbcIGGsEQ/2JJtJrxZXM3qgkHLyolTZsPBakzvMJyoQZL7
aVTAhD9TV+rh37hkqsFyE1nmRJkQQHucqeHcMod7mu1Ci+IcLioQngfpw8RfZ+/E
2jwALfnESBSXgcGGJY0T3lMsRAO9agczXf2pwiIiWIaLBYmkNyjLhtJj4TTcR6ib
YO1MLbGEx3mazV1bSKECAwEAAaOCAwQwggMAMB8GA1UdIwQYMBaAFI2MXsRUrYrh
d+mb+ZsF4bgBjWHhMB0GA1UdDgQWBBR+Xz5DTTvCitVerrgkYuU0VLoZ/jAOBgNV
HQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICBzAlMCMGCCsGAQUFBwIB
FhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwgYQGCCsGAQUFBwEB
BHgwdjBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdv
UlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAjBggrBgEFBQcw
AYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wKwYDVR0RBCQwIoIQKi5yb2xsYmFy
ZGV2LmNvbYIOcm9sbGJhcmRldi5jb20wggGABgorBgEEAdZ5AgQCBIIBcASCAWwB
agB3AEalVet1+pEgMLWiiWn0830RLEF0vv1JuIWr8vxw/m1HAAABb5F4idkAAAQD
AEgwRgIhAN0r3+qv0qN+8Y5PkR4meqD39glldrAc2tkyrTVuQ2rmAiEAqCp21yqo
bX/ccvuhwBOsHVk2DlWHINGpglIBoxIpm1MAdgBvU3asMfAxGdiZAKRRFf93FRwR
2QLBACkGjbIImjfZEwAAAW+ReIq4AAAEAwBHMEUCIQCxKJmW53tq0Oa0Apzyqwa6
uFgGQQa+gLPCLErdm2oyXQIgKRQwhT10M/PBKo6Z85vjFRZp+YPVve4oZiFu8L5Y
DF0AdwAiRUUHWVUkVpY/oS/x922G4CMmY63AS39dxoNcbuIPAgAAAW+ReInSAAAE
AwBIMEYCIQCPryrJBFeoB53VTMeCcH4mq7A3NpW0Zo5d2tTWForLpgIhAL8FI7g6
3APopRFhsAfz42U5foZtTxEq/1xZh+On16gsMA0GCSqGSIb3DQEBCwUAA4IBAQCR
2Om4pHtHzEBtSnx9OQs6mnA5mcz4F9bS1SzP24BFVWLImR1tkI+XHtqQTek/KO3u
YZmNO3ovE6VkVU5bDfpOadzOUKvz3mMGho04ZUY3PY5pTkHUWclnaJsoVfwK4UjA
k7CsZlExTYKL38aj5Wru5e8KiS1Myo08gDZ0ZlhOsz2OvB3ePjCI/G8MzCscyCRw
lphazGYaQFQ/V5iobdDCNFKi+I5IRTe8HTiPz1jTb7rIc2vBl1khIfvOLlVvjr50
QoWSGWYC8ZPAZSdNl76m5/aXIth6/qtzzkPe86jqK0O/aOGsli6qDrI2i9mEnu0/
7o+4qQ1QAhRgxMOu6jZZ
-----END CERTIFICATE-----
subject=CN = *.rollbardev.com

issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2089 bytes and written 398 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---

[jmcvetta]

Based on the output shown above, I suspect the server at https://api-staging.rollbardev.com may be misconfigured.

@msgSend @mrunalk who is responsible for host api-staging.rollbardev.com, so we can include them in this conversation?

[jmcvetta]

@msgSend when can I expect an update on this? The staging server's cert appears to be misconfigured. Who is responsible for that system?

[msgSend]

@jmcvetta, I apologize for the very delayed response. I think you're spot on about the issue, it looks like the certificate chain wasn't added to the configuration. I have added it and it appears that everything is happy now. Consequently, I think we can close this out. Please reopen if you feel the need to do so.

CONNECTED(00000005)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.rollbardev.com
verify return:1
---
Certificate chain
 0 s:/CN=*.rollbardev.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
---