it’s the first time I configure an SSL certificate on my development
machine (I’m no sysadmin - I need SSL to work with facebook). I decided
to go with ngingx proxying a ruby sinatra application, nothing fancy.
This is the error I get when Facebook tries to connect to my HTTP
server. AFAIK nginx is the culprit here:
Went to https://sandbox.thing.it, the app responded as expected, the
connection was encrypted and the certificate appears to be the correct
one.
Went to Facebook and attempted to register a new page subscription
(Meta Webhooks - Documentation - Meta for Developers). Had the
error reported on the top (SSL_do_handshake() failed) when Facebook
attempted to validate my callback url
On Fri, Nov 27, 2015 at 04:54:29PM +0100, Nicholas W. wrote:
Installed locally nginx and configured like this: gist:f97adc4194b08ea355c8 · GitHub
Restarted both nginx and puma respectively on port 4567 and 8080
Went to https://sandbox.thing.it, the app responded as expected, the connection
was encrypted and the certificate appears to be the correct one.
Went to Facebook and attempted to register a new page subscription
(Meta Webhooks - Documentation - Meta for Developers). Had the error
reported on the top (SSL_do_handshake() failed) when Facebook attempted to
validate my callback url
Note well that if you have no experience with SSL configuration,
it’s a good idea to avoid configuring anything but ssl_certificate
and ssl_certificate_key (and ssl_session_cache for performance
reasons). That is, remove (or comment out) all other ssl_*
directives in your configuration (including ssl_stapling,
ssl_stapling_verify, ssl_prefer_server_ciphers, ssl_protocols,
ssl_ciphers) unless you’ll get it working. You can re-add these
directives later if needed. The error you are seeing is likely
unrelated, but it’s generally better approach anyway.
I’m not entirely sure I understand why I need a certificate
chain. The .crt file is what the provider sent me, that’s what I
use. Should I “chain” the .crt file the provider sent me with
the RapidSSL bundle? This is for testing and development, I
don’t really care about performances, a slow solution is
perfectly fine
Certificate chains are needed, because a typical certificate is
issued by an intermediate CA, while browsers know only about root
CAs. And a web server must supply intermediate CA certificate to a
browser (or other client) for the browser to be able to verify
that the certificate provided by the web server should be trusted.
The link quoted explains how to properly put certs into a
certificate file for things to work, and how to validate that the
result is correct. Normally it’s as easy as just concatenating
your server’s certificate and the bundle provided by your CA. But
things may vary depending on CA - some CAs may provide incorrect
bundles, or certs in a wrong order within the bundle, or there may
be more than one bundle and you’ll have to choose the right one.
That is, it’s a good idea to understand what you are doing and
verify that the resulting chain returned by your server contains
all needed certs in the correct order (see “openssl s_client …”
part of the link).
2015/11/26 15:42:03 [info] 42872#0: *3 SSL_do_handshake() failed (SSL:
error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:SSL alert
number 48) while SSL handshaking, client: 31.13.113.70, server: 0.0.0.0:4567
Went to Facebook and attempted to register a new page subscription
(Meta Webhooks - Documentation - Meta for Developers). Had the error
reported on the top (SSL_do_handshake() failed) when Facebook attempted to
validate my callback url
I’m not entirely sure I understand why I need a certificate chain. The
.crt file is what the provider sent me, that’s what I use. Should I
“chain” the .crt file the provider sent me with the RapidSSL bundle?
This is for testing and development, I don’t really care about
performances, a slow solution is perfectly fine
ngw
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.