Nginx SSL_do_handshake() failed

it’s the first time I configure an SSL certificate on my development
machine (I’m no sysadmin - I need SSL to work with facebook). I decided
to go with ngingx proxying a ruby sinatra application, nothing fancy.

This is the error I get when Facebook tries to connect to my HTTP
server. AFAIK nginx is the culprit here:

2015/11/26 15:42:03 [info] 42872#0: *3 SSL_do_handshake() failed (SSL:
error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:SSL
alert number 48) while SSL handshaking, client: 31.13.113.70, server:
0.0.0.0:4567

This is what I did:

Downloaded the cert (a .key, a .crt and a .csr) from RapidSSL
Downloaded the trusted cert from RapidSSL
(https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem)
and saved locally under /etc/ssl/cert/
Installed locally nginx and configured like this:
https://gist.github.com/ngw/f97adc4194b08ea355c8
Restarted both nginx and puma respectively on port 4567 and 8080

Went to https://sandbox.thing.it, the app responded as expected, the
connection was encrypted and the certificate appears to be the correct
one.

Went to Facebook and attempted to register a new page subscription
(https://developers.facebook.com/docs/graph-api/webhooks/v2.2). Had the
error reported on the top (SSL_do_handshake() failed) when Facebook
attempted to validate my callback url

Any suggestion?

Thanks for your time,
ngw

Hello!

On Fri, Nov 27, 2015 at 04:54:29PM +0100, Nicholas W. wrote:

Installed locally nginx and configured like this:
https://gist.github.com/ngw/f97adc4194b08ea355c8
Restarted both nginx and puma respectively on port 4567 and 8080

Went to https://sandbox.thing.it, the app responded as expected, the connection
was encrypted and the certificate appears to be the correct one.

Went to Facebook and attempted to register a new page subscription
(https://developers.facebook.com/docs/graph-api/webhooks/v2.2). Had the error
reported on the top (SSL_do_handshake() failed) when Facebook attempted to
validate my callback url

Any suggestion?

Make sure to properly configure certificate chains, see
http://nginx.org/en/docs/http/configuring_https_servers.html#chains
for details.

Note well that if you have no experience with SSL configuration,
it’s a good idea to avoid configuring anything but ssl_certificate
and ssl_certificate_key (and ssl_session_cache for performance
reasons). That is, remove (or comment out) all other ssl_*
directives in your configuration (including ssl_stapling,
ssl_stapling_verify, ssl_prefer_server_ciphers, ssl_protocols,
ssl_ciphers) unless you’ll get it working. You can re-add these
directives later if needed. The error you are seeing is likely
unrelated, but it’s generally better approach anyway.


Maxim D.
http://nginx.org/

Hello!

On Fri, Nov 27, 2015 at 05:41:23PM +0100, Nicholas W. wrote:

On 27 Nov 2015, at 17:14, Maxim D. [email protected] wrote:

[…]

Make sure to properly configure certificate chains, see
http://nginx.org/en/docs/http/configuring_https_servers.html#chains
for details.

I’m not entirely sure I understand why I need a certificate
chain. The .crt file is what the provider sent me, that’s what I
use. Should I “chain” the .crt file the provider sent me with
the RapidSSL bundle? This is for testing and development, I
don’t really care about performances, a slow solution is
perfectly fine

Certificate chains are needed, because a typical certificate is
issued by an intermediate CA, while browsers know only about root
CAs. And a web server must supply intermediate CA certificate to a
browser (or other client) for the browser to be able to verify
that the certificate provided by the web server should be trusted.

The link quoted explains how to properly put certs into a
certificate file for things to work, and how to validate that the
result is correct. Normally it’s as easy as just concatenating
your server’s certificate and the bundle provided by your CA. But
things may vary depending on CA - some CAs may provide incorrect
bundles, or certs in a wrong order within the bundle, or there may
be more than one bundle and you’ll have to choose the right one.
That is, it’s a good idea to understand what you are doing and
verify that the resulting chain returned by your server contains
all needed certs in the correct order (see “openssl s_client …”
part of the link).


Maxim D.
http://nginx.org/

2015/11/26 15:42:03 [info] 42872#0: *3 SSL_do_handshake() failed (SSL:
error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:SSL alert
number 48) while SSL handshaking, client: 31.13.113.70, server: 0.0.0.0:4567

Went to Facebook and attempted to register a new page subscription
(https://developers.facebook.com/docs/graph-api/webhooks/v2.2). Had the error
reported on the top (SSL_do_handshake() failed) when Facebook attempted to
validate my callback url

Any suggestion?

Make sure to properly configure certificate chains, see
http://nginx.org/en/docs/http/configuring_https_servers.html#chains
http://nginx.org/en/docs/http/configuring_https_servers.html#chains
for details.

I’m not entirely sure I understand why I need a certificate chain. The
.crt file is what the provider sent me, that’s what I use. Should I
“chain” the .crt file the provider sent me with the RapidSSL bundle?
This is for testing and development, I don’t really care about
performances, a slow solution is perfectly fine

ngw

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs