简体繁体 English

Mailgun webhooks：续订SSL证书后“HTTPS证书验证失败”

[英]Mailgun webhooks: “HTTPS certificate validation failure” after renewing SSL certificte

原文 2016-05-01 10:22:41 2 2 ssl/ ssl-certificate/ mailgun

Shortly after we renewed our SSL certificate on Heroku, all Mailgun webhooks (post requests made by Mailgun to our endpoint so that we can track email deliveries) started failing with the error "Could not connect to remote server: HTTPS certificate validation failure". 在我们在Heroku上续订SSL证书后不久，所有Mailgun webhooks（Mailgun发送到我们的端点的请求以便我们可以跟踪电子邮件发送）开始失败，并显示错误“无法连接到远程服务器：HTTPS证书验证失败”。

How could we check whether this issue might be caused from misconfiguration of our SSL certificate rather than an issue on Mailgun's side? 我们如何检查这个问题是否可能是由于我们的SSL证书配置错误而不是Mailgun方面的问题？

Here are the details of steps we took to renew and install the certificate: 以下是我们续订和安装证书所采取的步骤的详细信息：

We followed these instructions to generate a new private key and CSR. 我们按照这些说明生成了新的私钥和CSR。
After uploading the CSR and downloading the CRT file on Namecheap, we ran heroku certs:update as described here . 上传CSR和下载上Namecheap的CRT文件后，我们跑了heroku certs:update描述这里。

These are the checks we made to verify successful installation of the new certificate: 这些是我们为验证新证书的成功安装而进行的检查：

Navigated to our site with Chrome, Safari, and Firefox and checked the certificates. 使用Chrome，Safari和Firefox导航到我们的网站并检查证书。 Everything looks right. 一切看起来都合适。
Ran heroku certs . 跑heroku certs 。 The certificate looks good and it is shown as trusted . 证书看起来很好，并显示为trusted 。
Used the online checker here and here (as watery suggested in the comments). 在这里和这里使用在线检查器（在评论中建议使用）。 Everything is green. 一切都是绿色的。
Verified with Namecheap that the intermediates were setup correctly. 使用Namecheap验证中间体是否正确设置。 They basically confirmed that the output of openssl s_client -showcerts -connect www.mysite.com:443 looks right. 他们基本上确认openssl s_client -showcerts -connect www.mysite.com:443的输出看起来是正确的。

A potential lead: 潜在的领先优势：

After running brew update openssl and rvm install 2.3.1 --disable-binary , the following was observed. 运行brew update openssl和rvm install 2.3.1 --disable-binary之后，观察到以下内容。 Running Net::HTTP.get URI('https://www.google.com') works, while the same command with our URL fails with OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed . 运行Net::HTTP.get URI('https://www.google.com')有效，而与我们的URL相同的命令失败， OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed 。
However, running Net::HTTP.get for our URL on a freshly installed linux Docker container does not fail, so there may be additional environment factors. 但是，在新安装的Linux Docker容器上为我们的URL运行Net::HTTP.get不会失败，因此可能还有其他环境因素。

Any leads to the likely cause of this issue, or suggestions for steps we can take to find such lead, are much appreciated. 任何可能导致此问题的原因，或者我们可以采取的寻找此类潜在客户的步骤的建议都非常感谢。

2 个解决方案

The issue was found as described in my other related question . 我的其他相关问题中描述了该问题。 COMODO added a new root called COMODO RSA Certification Authority instead of the previous COMODO Certification Authority . COMODO添加了一个名为COMODO RSA Certification Authority的新根，而不是之前的COMODO Certification Authority 。 The new root was not whitelisted by Mailgun. Mailgun没有将新根列入白名单。 I contacted support, and they are working to whitelist it. 我联系了支持人员，他们正在努力将其列入白名单。

I think this is related to SSL chaining issue. 我认为这与SSL链接问题有关。 Please check the ssl certificate you are using must be in order of domain_cert > root_cert > intermediate_cert(they can be multiple). 请检查您使用的ssl证书必须是domain_cert> root_cert> intermediate_cert的顺序（它们可以是多个）。 You need to concat certificate in fixed order to fix this issue. 您需要按固定顺序连接证书以解决此问题。 I hope this helps you. 我希望这可以帮助你。 For more you can test you website ssl in this https://www.ssllabs.com/ssltest/ 有关更多内容，您可以在此https://www.ssllabs.com/ssltest/中测试您的网站ssl