Why is the SSL certificate not recognised as valid by my API client (e.g. Filemaker, cURL)?

Last modified: 5. May 2022

You are using FileMaker or other clients and have problems with the SSL certificate when accessing the ITscope.com API?

What must be configured so that API retrievals work without errors with older systems?

On older systems or systems that have not been updated since 2021, the Let’s Encrypt root certificate may be missing or an older, expired Let’s Encrypt root may be installed. The problem is described here: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
(In detail: “(1) all clients of your API must trust ISRG Root X1 (not just DST Root CA X3), and (2) if clients of your API are using OpenSSL, they must use version 1.1.0 or later. In OpenSSL 1.0.x, a quirk in certificate verification means that even clients that trust ISRG Root X1 will fail when presented with the Android-compatible certificate chain we are recommending by default.”)

Depending on the client used, you must therefore update the root certificates so that our server certificates are recognised as valid. Instead of the expired Let’s Encrypt ‘DST Root CA X3’, the newer ‘ISRG Root X1’ must be installed.
Here is a thread with collected information on the update of various systems:

https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190

Here are two examples for older Debian systems:

https://blog.rac.me.uk/2016/05/04 
https://stackoverflow.com/questions/69408776/how-to-force-older-debian-to-forget-about-dst-root-ca-x3-expiration-and-use-isrg

What must be configured so that API retrievals with Filemaker work without errors?

The MBS plug-in for Filemaker does not come with root certificates by default (“Also you need a cacert.pem file with certificates”).
As a result, CURL does not find a root certificate for the Let’s Encrypt certificate from our servers and recognises our certificate as self-signed.
For this reason, you can download the certificate bundle from the following website and set the corresponding option in the plug-in: http://curl.haxx.se/docs/caextract.html

More information on the pluginn: http://www.mbsplugins.de/archive/2013-01-31/SSL_Security_with_CURL/monkeybreadsoftware_blog_archive

Was this article helpful?
Dislike 0
Views: 18