Why is the SSL certificate not recognised as valid by my API client (e.g. Filemaker, cURL)?

Last modified: 7. February 2024

You are using FileMaker or other clients and have problems with the SSL certificate when accessing the ITscope.com API?

What must be configured so that API retrievals work without errors with older systems?

On older systems or systems that have not been updated since 2021, the Let’s Encrypt root certificate may be missing or an older, expired Let’s Encrypt root may be installed. The problem is described here: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
(In detail: “(1) all clients of your API must trust ISRG Root X1 (not just DST Root CA X3), and (2) if clients of your API are using OpenSSL, they must use version 1.1.0 or later. In OpenSSL 1.0.x, a quirk in certificate verification means that even clients that trust ISRG Root X1 will fail when presented with the Android-compatible certificate chain we are recommending by default.”)

Depending on the client used, you must therefore update the root certificates so that our server certificates are recognised as valid. Instead of the expired Let’s Encrypt ‘DST Root CA X3’, the newer ‘ISRG Root X1’ must be installed.
Here is a thread with collected information on the update of various systems:

https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190

Here are two examples for older Debian systems:

https://blog.rac.me.uk/2016/05/04 
https://stackoverflow.com/questions/69408776/how-to-force-older-debian-to-forget-about-dst-root-ca-x3-expiration-and-use-isrg

What must be configured so that API retrievals with Filemaker work without errors?

The MBS plug-in for Filemaker does not come with root certificates by default (“Also you need a cacert.pem file with certificates”).
As a result, CURL does not find a root certificate for the Let’s Encrypt certificate from our servers and recognises our certificate as self-signed.
For this reason, you can download the certificate bundle from the following website and set the corresponding option in the plug-in: http://curl.haxx.se/docs/caextract.html

More information on the pluginn: http://www.mbsplugins.de/archive/2013-01-31/SSL_Security_with_CURL/monkeybreadsoftware_blog_archive

Where can you find the Let’s Encrypt Root-Certificate?

The root certificate is required if you want to access our services from a third-party system and your system does not yet recognise the root certificate.
You can download the root certificate from the Let’s Encrypt website:
https://letsencrypt.org/certificates/#root-certificates

Under ISRG Root X1, you can download the root certificate relevant to us by clicking on the corresponding link in various formats, for example as a “.pem”, “.der” or simply as a “.txt” file.

Was this article helpful?
Dislike 0
Views: 230