SSL authority chain broken

Frank Koehl's Avatar

Frank Koehl

23 Apr, 2013 08:26 PM

You guys messing with your SSL setup for user subdomains? Something in your certificate chain is busted.

cURL is reporting back the following error

SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failedint(0)

My git hooks fail, and Zapier is complaining too.

See for yourself here:
http://www.sslshopper.com/ssl-checker.html#hostname=sensaphone.ligh...

  1. Support Staff 1 Posted by Tiger Team on 23 Apr, 2013 08:31 PM

    Tiger Team's Avatar

    Hmm. We did just switch our ssl load balancers. I'll take a look.

  2. Support Staff 2 Posted by Tiger Team on 23 Apr, 2013 08:42 PM

    Tiger Team's Avatar

    ok, I've opened a high-priority support ticket with our webhost. It seems to be working on all the browsers I tested. If you need a quick workaround you can point your dns at our old load balancer which is at 184.73.201.0.

  3. 3 Posted by Frank Koehl on 23 Apr, 2013 08:54 PM

    Frank Koehl's Avatar

    Good to hear, Courtenay.

    FYI, simple browser tests will not work because they are pretty lenient on broken CA chains. As long as the cert for the local site is good, a browser won't complain.

    It's a different story with other communication methods. I learned that lesson the hard way.

    In this case, git hooks and Zapier communicate with the Lighthouse API calls via cURL, which will halt communication to complain. There is a portion of the RFC standard that allows you to acknowledge and bypass the warnings, but most apps don't expose the functionality ('cause it's really not supposed to happen anyway).

    Run an API test from something other than a browser, and you should see the above error.

  4. 4 Posted by Frank Koehl on 23 Apr, 2013 09:01 PM

    Frank Koehl's Avatar

    Matching discussion on the Zapier side of the equation.

    They provide a workaround to disable SSL checks if this problem pops up again, but it does not appear to help in this instance.

  5. 5 Posted by Frank Koehl on 24 Apr, 2013 02:37 PM

    Frank Koehl's Avatar

    No change from my end yet, any word from your web host? I guess high-priority tickets aren't what they used to be. ;-)

  6. Support Staff 6 Posted by Tiger Team on 24 Apr, 2013 03:17 PM

    Tiger Team's Avatar

    Yes, they fixed this (chain ordering) at 3:00 local time but we have to do the actual deploy - should be done within a few hours!

  7. 7 Posted by Frank Koehl on 24 Apr, 2013 04:21 PM

    Frank Koehl's Avatar

    Thanks, please post again once the fix is in place. I'll have to test and then reactive my API hooks.

  8. Support Staff 8 Posted by Tiger Team on 24 Apr, 2013 06:30 PM

    Tiger Team's Avatar

    Looks like this has trickled back up and is working again. Thanks for the ticket!

  9. Tiger Team closed this discussion on 24 Apr, 2013 06:30 PM.

Discussions are closed to public comments.
If you need help with Lighthouse please start a new discussion.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac