Webhook: Peer certificate cannot be authenticated with known CA certificates

Looks like you are making a WH call to a secure endpoint (ie, an https URL).  Does the secure endpoint have a valid SSL cert?

Hey Scott,

This error is typically the result of the SSL certificate for the domain or subdomain that you're submitting to not being tied to a trusted root certificate.  You can find details about implementing this here: https://support.comodo.com/index.php?_m=knowledgebase&_a=view&parentcategoryid=95&pcid=1&nav=0,96,1

Hi,

I spoke with my tech team and we have a "wild card" certificate that they're saying java hates.  Which may explain why the webhook works sometimes and throws that error other times.  They said in the past they've had to have the other system upload our certificate for it to work consistently.  Is that something you guys could do?  Let me know, happy to get you our certificate.

Thanks,
Scott

The cert has to be uploaded to the keystore of your server, not ours.

Hi Raj,

Thanks for the quick responses.  Just heard back from our tech team on this and here's their response:

The SSL certificate is already installed on the load balancer that sits in front of the two API servers. I don’t think there’s anything else for us to do with the cert. It is a valid cert and is used in several other places within our infrastructure without issue.
 
Can they update their Root Certificate Authority (CA) list on their server? Maybe the cert chain via GoDaddy is using newer intermediate or root CAs that are not in their servers list of CAs…

That's his suggestion - is that something you guys can do? 

Thanks!
Scott

 Hello everyone,
I'd like to ask about this issue as well. We'd like to use secure webhooks and so we've created certificate signed by our Company, but this root certificate is not trusted by Marketo (it seems so). Is it possible to ask support to install this root certicate for our instance ? Or what shall we do?

Thank you for your responses.
Regards,
Vaclav

@ Scott:
You've mentioned that you get that error only sometimes and you have mentioned that you have a balancer which is then forwarding the request to other server. The certificate may contain Ip addresses which are allowed and host names as well so if you for example added some computer with new Ip address then the host is not covered by that certificate.

I hope I've explained that correctly, my knowledge of this topic is not so deep...
Vaclav

Hi Vaclav,

Thanks for the response.  It sounds like you're saying the IP addresses are covered by the certificate but the host names, in some cases, are not.  Is that accurate?  If that's the case, do you know what I should do to fix the situation?  Get more host names added to our certificate?

Just curious - we're getting this webhook installed in client environments so I'd like to be sure it will work consistently.

Thanks,
Scott

Hi Scott,

yes that's what I meant. The solution to this might be the wildcard certificate, see for example here some information: 
http://stackoverflow.com/questions/1822268/how-do-i-create-my-own-wildcard-certificate-on-linux

On the other hand if you run some cloud service behind that balancer you does not necessarily need to have hostnames on those servers, so there are only Ip adresses which I believe can be set to Common Name as well, and maybe with the wildcard char * too, but that's just a guess...
One more link with some good information:
info.ssl.com/Article.aspx?id=10048

I hope this will help,

regards,
Vaclav

Hi Vaclav,

Thanks for the info - this really helped to narrow down the problem.  It looks like our API runs through Amazon Web Services and that can change IPs every once in a while - that's why it works in most cases (where the IPs are currently accepted) but fails in some cases (where AWS has added new IPs and runs the call through it).

Thanks!
Scott