fails to fetch some https URLs #12

Closed
willnorris opened this Issue Feb 26, 2013 · 12 comments

Comments

3 participants

When attempting to login using https://willnorris.com IndieAuth states that it couldn't find any rel="me" links (example). The links are there, as doing discovery on http://willnorris.com works just fine (example).

I suspect that the problem is that I'm using SSL with SNI. Based on this stackoverflow discussion, it seems that a little extra work is necessary to have ruby support SNI.

@aaronpk did you change anything on the indieauth.com server? It doesn't look like you've made any code changes since I filed this issue, but things seem to work fine now.

Owner

aaronpk commented Mar 18, 2013

I didn't, actually... Did you update any SSL config stuff on your server?

nope, haven't touched anything on my end either. After trying a few other things, it looks like perhaps my webhost restarted the apache server and I just lucked out and now my cert is the first one listed, so it's being served by default. Trying my wife's site results in the same error I was seeing before.j

So my personal immediate itch is scratched... at least until the next server reboot :)

Owner

aaronpk commented Jun 18, 2013

Looked at the server logs, it's getting this error from OpenSSL:

"SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed"

Owner

aaronpk commented Jun 18, 2013

Fixed this by installing an updated cert file. It was probably using the default system one before, now it's pushed up and included in the IndieAuth source code. The one I grabbed was from here: https://github.com/stevegraham/certified

This is the main StackOverflow thread that led me to this: http://stackoverflow.com/questions/4528101/ssl-connect-returned-1-errno-0-state-sslv3-read-server-certificate-b-certificat

Owner

aaronpk commented Jun 18, 2013

Fixed in 4b9ae70

aaronpk closed this Jun 18, 2013

As of this morning I am having the same problem (https://self-evident.org/).

Everything has worked fine for months, until today. I have verified that my certificate is current, and was last changed when I renewed it in August. I am pretty sure the root cert (Comodo) is part of the standard bundle shipped with Windows, Firefox, etc.

aaronpk reopened this Dec 2, 2013

the fact that twitter.com/NemoPublius is even showing up as a candidate identity means you're probably not running into the same SSL issue. However, indieauth certainly seems to be having issues verifying the backlinks from Twitter (as well as Google+ and App.net)... the only identity it seems to be confirming for me is GitHub and email: https://indieauth.com/auth?me=https%3A%2F%2Fwillnorris.com#

hmm.. app.net seems not to allow for https links for verified domains. That would explain why that backlink won't work. I'll ping app.net folks about that.

Confirmed: https://github.com/NemoPublius works but https://twitter.com/NemoPublius fails.

Thanks for the work-around, Will.

just FYI, app.net now supports https rel=me links: https://alpha.app.net/willnorris/post/27683254

Owner

aaronpk commented Apr 4, 2014

Awesome!

Also, to update this thread, I've moved indieauth.com to a new server with a much better list of root CAs, so we shouldn't have trouble with SSL certs anymore!

I'll close this thread, if anyone still encounters errors where indieauth.com is not able to read your site feel free to re-open.

aaronpk closed this Apr 4, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment