Recent SSL issue when verifying assertion

Discussion:

James Shore

2016-03-08 03:38:15 UTC

My logins started failing today when I try to verify the Persona assertion: “unable to verify the first certificate.”

When I use the command-line `http` tool to do a HTTP GET https://verifier.login.persona.org <https://verifier.login.persona.org/>, I get the following error:

SSLError: EOF occurred in violation of protocol (_ssl.c:590)

But when I load the same URL in Firefox, everything works fine. What could be happening here? I haven’t deployed new code. Is there a server-side config change that’s affecting me in some way?

Thanks,
Jim

--
James Shore - The Art of Agile
recipient of Gordon Pask Award for Contributions to Agile Practice
co-author of The Art of Agile Development

voice: +1 503-267-5490
email: ***@jamesshore.com
blog: http://jamesshore.com

s***@gmail.com

2016-03-08 04:41:45 UTC

Permalink

My logins started failing today when I try to verify the Persona assertion: "unable to verify the first certificate."
SSLError: EOF occurred in violation of protocol (_ssl.c:590)
But when I load the same URL in Firefox, everything works fine. What could be happening here? I haven't deployed new code. Is there a server-side config change that's affecting me in some way?
Thanks,
Jim
--
James Shore - The Art of Agile
recipient of Gordon Pask Award for Contributions to Agile Practice
co-author of The Art of Agile Development
voice: +1 503-267-5490
blog: http://jamesshore.com

Sorry, Jim - I don't have a solution, but wanted to note that Mozilla sites are also affected by something, starting around 7:56p PDT (perhaps earlier).

This is affecting MozTrap, One and Done, Mozillians, One and Done, and probably other sites, on dev, staging, and production.

When we use the "requests" library in Python to verify the cert, we throw:

SSLError: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

- Stephen

John Morrison

2016-03-08 05:23:39 UTC

Permalink

On 03/07/16 20:41, ***@gmail.com wrote:
Hi, we had a misconfiguration in a change on the backend. Should be
better now. How's it look to you?

John

Post by s***@gmail.com

Sorry, Jim - I don't have a solution, but wanted to note that Mozilla sites are also affected by something, starting around 7:56p PDT (perhaps earlier).
This is affecting MozTrap, One and Done, Mozillians, One and Done, and probably other sites, on dev, staging, and production.
SSLError: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
- Stephen
_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity

Daniel Thorn

2016-03-08 05:16:02 UTC

Permalink

I updated the ssl certs today, it will be rolled back soon.

Post by James Shore
My logins started failing today when I try to verify the Persona

assertion: "unable to verify the first certificate."

Post by James Shore
When I use the command-line `http` tool to do a HTTP GET

https://verifier.login.persona.org <https://verifier.login.persona.org/>,

Post by James Shore
SSLError: EOF occurred in violation of protocol (_ssl.c:590)
But when I load the same URL in Firefox, everything works fine. What

could be happening here? I haven't deployed new code. Is there a
server-side config change that's affecting me in some way?

Post by James Shore
Thanks,
Jim
--
James Shore - The Art of Agile
recipient of Gordon Pask Award for Contributions to Agile Practice
co-author of The Art of Agile Development
voice: +1 503-267-5490
blog: http://jamesshore.com

Sorry, Jim - I don't have a solution, but wanted to note that Mozilla
sites are also affected by something, starting around 7:56p PDT (perhaps
earlier).
This is affecting MozTrap, One and Done, Mozillians, One and Done, and
probably other sites, on dev, staging, and production.
SSLError: [Errno 1] _ssl.c:492: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
- Stephen
_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity

--
-Daniel Thorn
Mozilla Services Operations Engineer

Stephen Donner

2016-03-08 20:52:42 UTC

Permalink

Thanks, Daniel -

This indeed fixed it for us.

- Stephen

Post by Daniel Thorn
I updated the ssl certs today, it will be rolled back soon.

Post by James Shore
My logins started failing today when I try to verify the Persona

assertion: "unable to verify the first certificate."

Post by James Shore
When I use the command-line `http` tool to do a HTTP GET

https://verifier.login.persona.org

Post by James Shore
SSLError: EOF occurred in violation of protocol (_ssl.c:590)
But when I load the same URL in Firefox, everything works fine.

What could be happening here? I haven't deployed new code. Is
there a server-side config change that's affecting me in some way?

Sorry, Jim - I don't have a solution, but wanted to note that
Mozilla sites are also affected by something, starting around
7:56p PDT (perhaps earlier).
This is affecting MozTrap, One and Done, Mozillians, One and Done,
and probably other sites, on dev, staging, and production.
SSLError: [Errno 1] _ssl.c:492: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
- Stephen
_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity
--
-Daniel Thorn
Mozilla Services Operations Engineer