Admin Console: An error occurred (error code: API:-1) after change to https

After I reconfigured my working kaltura installation (11.21) to use https (port443) with a certificate from QuoVadis
I cannot login to the admin console. The message

An error occurred
(error code: API:-1)

is showing on the site.
I cannot find the problem in the logs.

If I reconfigure it back to use http (port 80) everything works normal.

Hello,

More info is needed in order to properly troubleshoot this.
I suggest you start with:
# curl -I -v $SERVICE_URL

Common reasons for the failure are:

  • Invalid or self signed cert
  • Missing CA cert in the configuration

We will know more once you run that curl command.

Hi Jess

I checked and reconfigured with a chain certificate.
It seems the problem was the missing chain cert.

Thank you.

The ouput was:

curl -I -v https://mydomain.ch

  • Rebuilt URL to: https://mydomain.ch/
  • Hostname was NOT found in DNS cache
  • Trying 10.0.251.87…
  • Connected to tube.htwchur.ch (10.0.251.87) port 443 (#0)
  • successfully set certificate verify locations:
  • CAfile: none
    CApath: /etc/ssl/certs
  • SSLv3, TLS handshake, Client hello (1):
  • SSLv3, TLS handshake, Server hello (2):
  • SSLv3, TLS handshake, CERT (11):
  • SSLv3, TLS alert, Server hello (2):
  • SSL certificate problem: unable to get local issuer certificate
  • Closing connection 0
  • SSLv3, TLS alert, Client hello (1):
    curl: (60) SSL certificate problem: unable to get local issuer certificate
    More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.

(mydomain is a placeholder)