My Oracle Support Banner

Why Does Calling API From External System Fail with SSL Routines:ssl3_read_bytes:sslv3 Alert Certificate Unknown? (Doc ID 2414092.1)

Last updated on JANUARY 03, 2020

Applies to:

Oracle API Platform Cloud Service - Version 15.3.3 and later
Information in this document applies to any platform.



There is a development API Gateway in the on-premise DMZ to service remote REST calls.

This has been enabled to "2-way SSL", but still have the behavior set to "Client Certs Requested But Not Enforced".

The F5 is set to pass through SSL so the gateway node terminates.

When calling a test API from a remote system using cURL, the SSL handshake fails unless the DigiCert Root and Intermediate cert are provided using the --cacert parameter. 

This same root and intermediate are in the keystore file on the gateway.

The same URL can successfully be called from a browser and the connection is secure.

There is a requirement to be able to call this API without the --cacert parameter.

However, when that is tried, the below error is seen:

Why is this error being seen?


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.