SSL Peer Certificate or SSH Remote Key Was Not OK

Issue

The following error can appear when a connection attempt fails:

SSL peer certificate or SSH remote key was not OK. Underlying error: unable to get local issuer certificate

Example full error: F_JG4E05: Could not get the Azure Token. Reason: Failed to GetToken. Error: GetToken(): Fail to get a new connection for: https://login.microsoftonline.com. SSL peer certificate or SSH remote key was not OK. Underlying error: unable to get local issuer certificate

Environment

• HVR 6

Resolution

Using a Proxy with SSL Inspection

If your environment uses a proxy that performs SSL inspection (decrypting SSL traffic and re-signing it with a custom CA), HVR must be configured to trust that custom CA:

1. Obtain the custom CA certificate used by the proxy to sign SSL traffic (for example, proxy-ca-cert.crt).

2. Create the path to the custom certificate bundle that HVR will use and copy the default CA bundle provided with HVR into it:

   mkdir -p $HVR_CONFIG/etc/cert
   cp $HVR_HOME/etc/cert/ca-bundle.crt $HVR_CONFIG/etc/cert/ca-bundle.crt
   

3. Append the custom CA certificate to the copied CA bundle:

   cat proxy-ca-cert.crt >> $HVR_CONFIG/etc/cert/ca-bundle.crt
   

HVR first checks for the existence of the custom certificate bundle in $HVR_CONFIG/etc/cert/ca-bundle.crt and uses it if present; otherwise, it falls back to the default bundle in $HVR_HOME/etc/cert/ca-bundle.crt.

Outdated Certificates in HVR_CONFIG

If $HVR_CONFIG/etc/cert/ca-bundle.crt already exists and you are not using a proxy, this error may occur because the certificates in $HVR_CONFIG are outdated.