Question:

Unable to access callout resources due to "invalid issuer or signature"

Lincoln: 2 weeks ago

I'm trying to troubleshoot an error message I keep receiving when I attempt an Apex REST callout and I can't tell if the issue is with my Salesforce or my third-party. When I check out the Named Credential I set, I can see it is Authenticated. Here's the below "redacted" raw debug output. How can I troubleshoot this further?

43.0 APEX_CODE,FINE;APEX_PROFILING,NONE;CALLOUT,NONE;DB,NONE;NBA,INFO;SYSTEM,NONE;VALIDATION,NONE;VISUALFORCE,NONE;WAVE,NONE;WORKFLOW,NONE
Execute Anonymous: AuthCallout.basicAuthCallout();
15:44:11.1 (1181757)|USER_INFO|[EXTERNAL]|000000000000000|email@address|Eastern Standard Time|GMT-04:00
15:44:11.1 (1202677)|EXECUTION_STARTED
15:44:11.1 (1207754)|CODE_UNIT_STARTED|[EXTERNAL]|execute_anonymous_apex
15:44:11.1 (11201493)|METHOD_ENTRY|[1]|000000000000000|AuthCallout.AuthCallout()
15:44:11.1 (11228619)|METHOD_EXIT|[1]|AuthCallout
15:44:11.1 (11269533)|METHOD_ENTRY|[1]|000000000000000|AuthCallout.basicAuthCallout()
15:44:12.138 (1138806802)|USER_DEBUG|[11]|DEBUG|{"error_description":"Invalid issuer or signature."}
15:44:12.138 (1138855045)|METHOD_EXIT|[1]|000000000000000|AuthCallout.basicAuthCallout()
15:44:12.138 (1141724007)|CODE_UNIT_FINISHED|execute_anonymous_apex
15:44:12.138 (1142671846)|EXECUTION_FINISHED

Answer:
Jackson: 2 weeks ago

Most likely, the issuer is not supported by Salesforce at this time. Check the issuer against this list (https://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html#cacerts). Notably, Let's Encrypt is apparently not supported (https://success.salesforce.com/ideaView?id=08730000000E28LAAS), nor can you use self-signed certificates. You may need to change to a supported issuer, or disable HTTPS for that callout. There's no way to add new supported issuers at this time, so those are your only two solutions.