- 19 Jul 2023
-
DarkLight
-
PDF
DEPTH_ZERO_SELF_SIGNED_CERT
- Updated on 19 Jul 2023
-
DarkLight
-
PDF
Issue Statement
When authenticating, seeing DEPTH_ZERO_SELF_SIGNED_CERT error in logs .
What You Can Do
"DEPTH_ZERO_SELF_SIGNED_CERT" is an error message that may occur when making an HTTPS request to a server with a self-signed SSL/TLS certificate.
Here are some things that you can do to try to resolve the issue:
- Make sure ssl is enabled in adapter service config, see example below
"ssl": {
"ecdhCurve": "",
"enabled": true,
"accept_invalid_cert": false,
"ca_file": "",
"key_file": "",
"cert_file": "",
"secure_protocol": "SSLv3_method",
"ciphers": ""
}
- Ignore the error (not recommended for production): If you are in a development or testing environment and you trust the server, you can tell your adapter to ignore SSL certificate errors by making accept_invalid_certs true in ssl properties. See example below:
"ssl": {
"ecdhCurve": "",
"enabled": true,
"accept_invalid_cert": true,
"ca_file": "",
"key_file": "",
"cert_file": "",
"secure_protocol": "SSLv3_method",
"ciphers": ""
}
- Store the ca file on server: The CA file contains the public key of the Certificate Authority that issued the SSL/TLS certificate for your server. You can save the ca file on IAP server and set ca_file under ssl properties in service config to that path for the adapter to access. See example below:
"ssl": {
"ecdhCurve": "",
"enabled": true,
"accept_invalid_cert": false,
"ca_file": "/root/mycafile",
"key_file": "",
"cert_file": "",
"secure_protocol": "SSLv3_method",
"ciphers": ""
}
-
Install the self-signed certificate as a trusted certificate: In some cases, you may choose to install the server's self-signed certificate in your client's trusted certificates store. This way, the client will recognize the certificate as valid for future connections. Pass the required values under ssl properties in service config. Follow documentation for more details.
-
Use a valid certificate from a trusted CA: For production environments or public-facing websites, it is recommended to obtain a valid SSL/TLS certificate from a recognized CA. This way, clients will be able to verify the certificate and establish a secure connection. Pass the required values under ssl properties in service config.
If you are unable to determine the issue by looking at the log, follow the Support process to create a ticket with the log information and the Itential Adapters Team will be happy to assist.