3

Shortly after we renewed our SSL certificate on Heroku, all Mailgun webhooks (post requests made by Mailgun to our endpoint so that we can track email deliveries) started failing with the error "Could not connect to remote server: HTTPS certificate validation failure".

How could we check whether this issue might be caused from misconfiguration of our SSL certificate rather than an issue on Mailgun's side?

Here are the details of steps we took to renew and install the certificate:

  • We followed these instructions to generate a new private key and CSR.
  • After uploading the CSR and downloading the CRT file on Namecheap, we ran heroku certs:update as described here.

These are the checks we made to verify successful installation of the new certificate:

  • Navigated to our site with Chrome, Safari, and Firefox and checked the certificates. Everything looks right.
  • Ran heroku certs. The certificate looks good and it is shown as trusted.
  • Used the online checker here and here (as watery suggested in the comments). Everything is green.
  • Verified with Namecheap that the intermediates were setup correctly. They basically confirmed that the output of openssl s_client -showcerts -connect www.mysite.com:443 looks right.

A potential lead:

  • After running brew update openssl and rvm install 2.3.1 --disable-binary, the following was observed. Running Net::HTTP.get URI('https://www.google.com') works, while the same command with our URL fails with OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed.
  • However, running Net::HTTP.get for our URL on a freshly installed linux Docker container does not fail, so there may be additional environment factors.

Any leads to the likely cause of this issue, or suggestions for steps we can take to find such lead, are much appreciated.

AmitA
  • 3,239
  • 1
  • 22
  • 31
  • The [SSL Server Test](https://www.ssllabs.com/ssltest/) by SSL Labs seems to go more in-depth, could be worth a try. – watery May 01 '16 at 10:29
  • Also - if I'm not confusing Namecheap with another provider - did you set up the new certificate together with any intermediate certificate they provided you? – watery May 01 '16 at 10:32
  • Thanks watery. I ran the test you suggested and got an overall rating of "A+" with most green (only red issues were related to IE 6). Regarding the intermediate certificate - no I did not set up intermediate certificates. Thanks for pointing that out .I'll check with them whether this was necessary or not. – AmitA May 01 '16 at 10:42
  • I talked with Namecheap support and they confirmed that our intermediates are configured correctly.. – AmitA May 01 '16 at 10:57

2 Answers2

0

The issue was found as described in my other related question. COMODO added a new root called COMODO RSA Certification Authority instead of the previous COMODO Certification Authority. The new root was not whitelisted by Mailgun. I contacted support, and they are working to whitelist it.

Community
  • 1
  • 1
AmitA
  • 3,239
  • 1
  • 22
  • 31
0

I think this is related to SSL chaining issue. Please check the ssl certificate you are using must be in order of domain_cert > root_cert > intermediate_cert(they can be multiple). You need to concat certificate in fixed order to fix this issue. I hope this helps you. For more you can test you website ssl in this https://www.ssllabs.com/ssltest/

Mohammed Aadil
  • 153
  • 7