What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

How do I include intermediate certificates for SSL on the V2 API port?

Votes:

0

The V2 API port serves a broken certificate by failing to include intermediate certificates

After enabling the V2 API options, the V2 API port serves the site certificate with a broken chain. This causes the certificate to be untrusted, despite being identical to the certificate served on the main https port.

This occurred immediately after enabling the V2 API, and is still occurring even after re-importing the certificate via the PRTGCertImporter tool.

An online certificate check confirms the behavior.

OpenSSL reports the error as follows:

verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.xxxxxxxxx.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = *.xxxxxxxxx.com
verify return:1
...
Verification error: unable to verify the first certificate

Note that the main https port continues to serve the (same) certificate with the chain intact, so it works fine. Only the alternative port used by the new v2 API and GUI is affected by the issue.

api certificate prtg ssl v2api

Created on Apr 6, 2023 9:09:15 PM

Last change on Apr 7, 2023 6:04:53 AM by Felix Wiesneth [Paessler Support]



Best Answer

Accepted Answer

Votes:

1

Hi there,

You're right, the new server does not yet consider the intermediate certificates correctly. We created an internal bug case for this and are working on a fix for future updates.

Kind regards,
Felix Saure, Technical Support Team

Created on Apr 13, 2023 1:24:37 PM by Felix Saure [Paessler Support]



4 Replies

Votes:

0

Hi there,

The certificate importer, or if you decide to import the certificate manually, does not include intermediate certificates. You need to deploy such certificates to the appropriate certificate store on the Windows machine hosting the PRTG server.

This information is taken to build the correct chain then.

Kind regards,
Felix Saure, Technical Support Team

Created on Apr 7, 2023 9:56:35 AM by Felix Saure [Paessler Support]



Votes:

0

As I said, the main https port works fine and includes the correct intermediate certificates. The certificate was installed via the certificate importer, from a certificate that includes the intermediate chain, and that certificate is installed in the machine certificate store.

Regardless of where PRTG sources the intermediate certificates, it is working fine (as it always has) on the main https port, but is failing to send the intermediate certificates on the alternate https port that is used for the V2 API. Why would that be?

Created on Apr 7, 2023 10:04:21 PM



Accepted Answer

Votes:

1

Hi there,

You're right, the new server does not yet consider the intermediate certificates correctly. We created an internal bug case for this and are working on a fix for future updates.

Kind regards,
Felix Saure, Technical Support Team

Created on Apr 13, 2023 1:24:37 PM by Felix Saure [Paessler Support]



Votes:

1

Thanks for confirming this. I'll watch the patch notes, then!

Created on Apr 13, 2023 2:24:00 PM




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.