The V2 API port serves a broken certificate by failing to include intermediate certificates
After enabling the V2 API options, the V2 API port serves the site certificate with a broken chain. This causes the certificate to be untrusted, despite being identical to the certificate served on the main https port.
This occurred immediately after enabling the V2 API, and is still occurring even after re-importing the certificate via the PRTGCertImporter tool.
An online certificate check confirms the behavior.
OpenSSL reports the error as follows:
verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = *.xxxxxxxxx.com verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN = *.xxxxxxxxx.com verify return:1 ... Verification error: unable to verify the first certificate
Note that the main https port continues to serve the (same) certificate with the chain intact, so it works fine. Only the alternative port used by the new v2 API and GUI is affected by the issue.
Article Comments
As I said, the main https port works fine and includes the correct intermediate certificates. The certificate was installed via the certificate importer, from a certificate that includes the intermediate chain, and that certificate is installed in the machine certificate store.
Regardless of where PRTG sources the intermediate certificates, it is working fine (as it always has) on the main https port, but is failing to send the intermediate certificates on the alternate https port that is used for the V2 API. Why would that be?
Apr, 2023 - Permalink
Hi there,
You're right, the new server does not yet consider the intermediate certificates correctly. We created an internal bug case for this and are working on a fix for future updates.
Kind regards,
Felix Saure, Technical Support Team
Apr, 2023 - Permalink
Hi there,
The certificate importer, or if you decide to import the certificate manually, does not include intermediate certificates. You need to deploy such certificates to the appropriate certificate store on the Windows machine hosting the PRTG server.
This information is taken to build the correct chain then.
Kind regards,
Felix Saure, Technical Support Team
Apr, 2023 - Permalink