SSL authority chain broken
You guys messing with your SSL setup for user subdomains? Something in your certificate chain is busted.
cURL is reporting back the following error
SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failedint(0)
My git hooks fail, and Zapier is complaining too.
See for yourself here:
http://www.sslshopper.com/ssl-checker.html#hostname=sensaphone.ligh...
Discussions are closed to public comments.
If you need help with Lighthouse please
start a new discussion.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
Support Staff 1 Posted by Tiger Team on 23 Apr, 2013 08:31 PM
Hmm. We did just switch our ssl load balancers. I'll take a look.
Support Staff 2 Posted by Tiger Team on 23 Apr, 2013 08:42 PM
ok, I've opened a high-priority support ticket with our webhost. It seems to be working on all the browsers I tested. If you need a quick workaround you can point your dns at our old load balancer which is at 184.73.201.0.
3 Posted by Frank Koehl on 23 Apr, 2013 08:54 PM
Good to hear, Courtenay.
FYI, simple browser tests will not work because they are pretty lenient on broken CA chains. As long as the cert for the local site is good, a browser won't complain.
It's a different story with other communication methods. I learned that lesson the hard way.
In this case, git hooks and Zapier communicate with the Lighthouse API calls via
cURL, which will halt communication to complain. There is a portion of the RFC standard that allows you to acknowledge and bypass the warnings, but most apps don't expose the functionality ('cause it's really not supposed to happen anyway).Run an API test from something other than a browser, and you should see the above error.
4 Posted by Frank Koehl on 23 Apr, 2013 09:01 PM
Matching discussion on the Zapier side of the equation.
They provide a workaround to disable SSL checks if this problem pops up again, but it does not appear to help in this instance.
5 Posted by Frank Koehl on 24 Apr, 2013 02:37 PM
No change from my end yet, any word from your web host? I guess high-priority tickets aren't what they used to be. ;-)
Support Staff 6 Posted by Tiger Team on 24 Apr, 2013 03:17 PM
Yes, they fixed this (chain ordering) at 3:00 local time but we have to do the actual deploy - should be done within a few hours!
7 Posted by Frank Koehl on 24 Apr, 2013 04:21 PM
Thanks, please post again once the fix is in place. I'll have to test and then reactive my API hooks.
Support Staff 8 Posted by Tiger Team on 24 Apr, 2013 06:30 PM
Looks like this has trickled back up and is working again. Thanks for the ticket!
Tiger Team closed this discussion on 24 Apr, 2013 06:30 PM.