问题
Shortly after we renewed our SSL certificate on Heroku, all Mailgun webhooks (post requests made by Mailgun to our endpoint so that we can track email deliveries) started failing with the error "Could not connect to remote server: HTTPS certificate validation failure".
How could we check whether this issue might be caused from misconfiguration of our SSL certificate rather than an issue on Mailgun's side?
Here are the details of steps we took to renew and install the certificate:
- We followed these instructions to generate a new private key and CSR.
- After uploading the CSR and downloading the CRT file on Namecheap, we ran
heroku certs:updateas described here.
These are the checks we made to verify successful installation of the new certificate:
- Navigated to our site with Chrome, Safari, and Firefox and checked the certificates. Everything looks right.
- Ran
heroku certs. The certificate looks good and it is shown astrusted. - Used the online checker here and here (as watery suggested in the comments). Everything is green.
- Verified with Namecheap that the intermediates were setup correctly. They basically confirmed that the output of
openssl s_client -showcerts -connect www.mysite.com:443looks right.
A potential lead:
- After running
brew update opensslandrvm install 2.3.1 --disable-binary, the following was observed. RunningNet::HTTP.get URI('https://www.google.com')works, while the same command with our URL fails withOpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed. - However, running
Net::HTTP.getfor our URL on a freshly installed linux Docker container does not fail, so there may be additional environment factors.
Any leads to the likely cause of this issue, or suggestions for steps we can take to find such lead, are much appreciated.
回答1:
The issue was found as described in my other related question. COMODO added a new root called COMODO RSA Certification Authority instead of the previous COMODO Certification Authority. The new root was not whitelisted by Mailgun. I contacted support, and they are working to whitelist it.
回答2:
I think this is related to SSL chaining issue. Please check the ssl certificate you are using must be in order of domain_cert > root_cert > intermediate_cert(they can be multiple). You need to concat certificate in fixed order to fix this issue. I hope this helps you. For more you can test you website ssl in this https://www.ssllabs.com/ssltest/
来源:https://stackoverflow.com/questions/36965535/mailgun-webhooks-https-certificate-validation-failure-after-renewing-ssl-cert