Broadcaster on Windows: ZEN Master shows "authorization plugin error ... was not OK (60)"
5 min
error in zen master , the broadcaster raises an authorization alert (you may see it as either an error or a warning they are the same issue) broadcaster authorization plugin error ssl peer certificate or ssh remote key was not ok (60) in the broadcaster log you will see the following line (logging set to warning for http upload or higher) curl easy perform failed (60) ssl peer certificate or ssh remote key was not ok (60) issue a zen master–managed broadcaster authorizes streams by making a secure (https) call back to zen master to trust that connection, the broadcaster on windows relies on the certificates in the windows trusted root certification authorities store zen master's certificate is issued by amazon and its trust chain requires the amazon root ca 1 certificate if that root is not present in the windows root store, the broadcaster cannot verify the connection and the authorization call fails with error 60 on every attempt important a web browser or a powershell invoke webrequest test to the same address will usually succeed even when the broadcaster fails, because windows and browsers validate certificates differently than the broadcaster does a successful browser test does not rule out this issue, trust the broadcaster's own log this issue is not caused by an expired certificate or an incorrect system clock resolution install the amazon root ca 1 certificate into the windows root store, then restart the broadcaster run all commands in an elevated (administrator) powershell on the broadcaster host confirm the root is missing get childitem cert \localmachine\root | where object { $ subject match "amazon root ca 1|starfield services" } | select object subject, thumbprint if amazon root ca 1 is not listed (you may see only "starfield services root certificate authority g2"), continue install amazon root ca 1 option a download the certificate from amazon's official repository and import it \# download curl exe o amazonrootca1 cer https //www amazontrust com/repository/amazonrootca1 cer \# import into the windows root store import certificate filepath \amazonrootca1 cer certstorelocation cert \localmachine\root option b capture the certificate directly from the zen master connection and install it $certs = @() $cb = \[net security remotecertificatevalidationcallback]{ param($s,$c,$chain,$e); $script\ certs = @($chain chainelements | foreach object { $ certificate }); $true } $tcp = new object net sockets tcpclient; $tcp connect("zen zixi com",443) $ssl = new object net security sslstream($tcp getstream(),$false,$cb) try { $ssl authenticateasclient("zen zixi com",$null,\[security authentication sslprotocols] tls12,$false) } catch {} $ssl dispose(); $tcp close() $amazon = $script\ certs | where object { $ subject match "cn=amazon root ca 1" } | select object first 1 $store = new object security cryptography x509certificates x509store("root","localmachine") $store open("readwrite") if ($amazon) { $store add($amazon) } $store close() confirm it is now present by re running the step 1 command — you should now see amazon root ca 1 listed restart the broadcaster the (60) errors should no longer appear, and the authorization alert in zen master will clear within a few minutes
