Posts Tagged ‘ssl’

Recently I launched the Worfolk Anxiety Podcast and as part of that, submitted it to the Apple iTunes Store for listing. The problem was that every time I tried I would get an error:

Unable to read your feed

After searching the web I found a lot of reports that Apple only had limited support for SSL: there were only eight trusted providers and you could not use anyone else. For example, any certificates issued by Let’s Encrypt would not work.

However, this did not make any sense because I had a GeoTrust RapidSSL certificate, and GeoTrust was supported.

I emailed Apple support and we began a backwards and forwards discussion about it. They suggested that although my feed validated on most validators, there were a few that it did not and I should address these issues. The issue was that you cannot use SSL in the strict RSS standard because URLs must begin with http and not https.

I fixed this, and still nothing.

I even tried purchasing an SSL certificate from Comodo in case Apple had a problem with the RapidSSL intermediately between my certificate and the GeoTrust root certificate. That did not help either, so I now have a duplicate certificate that is of absolutely no use.

Finally, Apple sent me the command they were running.

curl --head https://www.worfolkanxiety.com/podcast/feed

Suddenly it all made sense! They were making a HEAD request, rather than a GET request. I am using the Rauma PHP framework (that I also wrote) and you have to specify which verbs you would like to support. That end-point is tagged as a GET end-point, so did not respond to a HEAD request.

Once I added support for HEAD requests, it all started working. I even changed the MP3 files and artwork back to HTTPS and it still worked.

I have since rolled out an update to the Rauma framework so that it automatically adds support for HEAD requests when you add a GET request. However, there are many other frameworks where you specify the verbs you want to support, so if you run into a similar issue, check to see if that is the cause of your problem.

If you have installed an SSL certificate and appears to work fine in the browser, but does not work on places like the W3 feeds validator or iTunes Connect, a good way to debug it is to use cURL from the command line.

You may get back an “unable to get local issuer certificate” error.

$ curl https://www.your-domain.com/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

If so, this means that you have successfully installed your SSL certificate, but you have not included the intermediate certificates. These form an essential part of the chain up to the root certificate and need to be included when you install it.

They are typically distributed in .bundle files that come with your .crt file.

If you try and connect over HTTPS/SSL with cURL you may get an error similar to:

sslv3 alert handshake failure

Or:

Unknown SSL protocol error in connection

If you cannot see a descriptive error message, use –verbose to report everything.

The cause of this often that hosts have disabled SSLv3 because it has now been compromised. The solution is to use TLS, which is a newer more secure protocol.

curl --tlsv1 --verbose hostname

If you are using cURL in PHP you can change the SSL version to use TLSv1.2.

CURLOPT_SSLVERSION => 6

You should then be able to make the cURL request over SSL successfully.

If you use self-signed certificates on cPanel and WHM, they will still expire each year. You may find yourself getting an email such as:

The SSL certificate for ftp on host.example.com will expire in less than 30 days.

Your server’s SSL certificate for ftp will expire in less than 30 days. You need to install a new certificate as soon as possible. You can install a new certificate using WHM’s “Manage Service SSL Certificates” interface: https://host.example.com:2087/scripts2/manageservicecrts (Main >> Service Configuration >> Manage Service SSL Certificates).

To resolve this, click the link as suggested by the email. Then, next to each service, click “Reset Certificate”. This will generate a fresh certificate and automatically install it.