Hi there!
To reduce project dependency on 3rd party paid services the StackStorm TSC has decided to move the Q/A from this forum to Github Discussions. This will make user experience better integrated with the native Github flow, as well as the questions closer to the community where they can provide answers.
Use 🔗 Github Discussions to ask your questions.
Dear all
I am trying to import SSL for the st2api, but failed. I uploaded the crt and key file and restarted the
ngix, the webportal works fine.
However, when I try to connect through st2api, an error prompted.
curl: (60) Peer’s Certificate issuer is not recognized.
here is the configuration file st2.conf changed under folder of /etc/nginx/sites-enabled
ssl_certificate /etc/ssl/st2/cert.crt;
ssl_certificate_key /etc/ssl/st2/cert.key;
However, when I try to connect through st2api, an error prompted.
Can you clarify what does it mean “to connect through st2api”? Does it mean
https://your-domain.tld works and https://yor-domain.tld/api/ shows errors for
you? What was the client that was used to make a request to https endpoint (curl, browser,
anything else)?
What is the provider that issued the SSL certificates for you?
You may want to ensure that you configured full certificate chain. Follow the http://nginx.org/en/docs/http/configuring_https_servers.html#chains
to understand how to set it up and debug.
Thank you for your feedback, actually I am trying to use curl to call the st2api with a post method.
curl -X POST -H 'Accept: */*' -H 'content-type: application/json' -H 'St2-Api-Key: ***' --data-binary '{"action": "faultdesign.ApiAdapter","parameters": {"srNo": "456789","taskName": "201809030000","country": "","operator": "","productFamily": "Huawei Storage","subType": "Huawei Storage","selectedNodes": {"l2Name": "Disk Alarm","l1Name": "ISM/Device Manager Alarm","l3Name": ""},"product": "OceanStorage","productLine": "IT","logfiles": "","createUser": "","reStart": "","summary": ""}}' https://wesre.***.com/api/v1/executions
and I got the error like this:
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
However, when I use browser to open the portal, it works fine and the site displays as safe sites which means the certificate was trusted by my browser.
My company issued the CA certificate as a pfx file,and I export the key and crt file by the following commands.
openssl pkcs12 -in ./cert.pfx -out public.crt -clcerts -nokeys
openssl pkcs12 -in ./cert.pfx -out public.key.pem -nodes -nocerts
and I updated the ngnix configuration file under folder of vi /etc/nginx/conf.d/st2.conf like below
server {
listen *:443 ssl;
ssl on;
ssl_certificate /etc/ssl/st2/public.crt;
ssl_certificate_key /etc/ssl/st2/public.key.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Your browser has a different set of CAs it uses to what curl trusts. Either update the bundle that curl uses, to include your Internal CA, or tell curl to verify against a CA file that includes your companys CA.
Check with your local sysadmins. If they have their own CA, they will know how to get systems to use that CA.
This is all generic SSL information - it is not specific to ST2.
Yes, the certificate chain solved my problem 
Thank you
Thank you, the certificate chain solved my problem.