question

Neal Sorensen avatar image
Neal Sorensen asked

SSL CA Chain not working

My site's certificate isn't directly signed by a trusted CA, but a trusted CA is the root signer and the echo service won't accept it. Trusted CA -> Intermediate Chain CA -> My Cert. Is the echo service supposed to support cert chains? And if not, will it ever? Firefox doesn't have any issues with the cert because it follows the chain and finds the trusted root CA.
alexa skills kitsubmission testing certification
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

James Chivers avatar image
James Chivers answered
Hi Neal, Are you seeing a specific issue (like 'SSL handshake error') when Alexa is attempting to connect to your app backend? I think Alexa is supposed to support what you're requesting, but with my certs, I specifically bundled all three, i.e.: Root + Intermediate + Server ...into a single chained cert, and placed that bundled cert into my webserver for presentation, thus: domain.com.server.crt - your SSL cert for your domain domain.com.intermediate.crt - the SSL cert from your provider (who have signed domain.com.server.crt) domain.com.root.crt - the SSL cert that is the root cert that signed your provider's cert (and that exists in https://wiki.mozilla.org/CA:IncludedCAs) Then, bundle the certs together like: cat domain.com.server.crt domain.com.intermediate.crt domain.com.root.crt > domain.com.chained.crt A quick way to determine whether all three certs are being correctly served would be use something like: https://www.sslshopper.com/ssl-checker.html ...as that'll show you the cert chain and whether it's broken or not. Let me know if the above is any help, and what specifically you're seeing and I'll try to help further. Cheers, James
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Neal Sorensen avatar image
Neal Sorensen answered
I've chained my certs but it doesn't work. The server's cert checks out fine: https://www.sslshopper.com/ssl-checker.html#hostname=spriton.com Here's the error: Request Identifier: amzn1.echo-api.request.5a437876-28b6-4345-9971-323c99451619 The certificate does not have a path to a trusted authority. This happens if you are using a self signed certificate. The cert isn't self signed, it is signed by a mozilla trusted CA at the root of the chain.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

James Chivers avatar image
James Chivers answered
Hi Neal, the cert is definitely fine and as you say, and trusted by a root CA in the https://wiki.mozilla.org/CA:IncludedCAs pool. Ok, two ideas for you - can you double-check your app settings here: https://developer.amazon.com/edw/home.html#/ ...to confirm that under 'SSL Certificate' you definitely do not have "I will upload a self-signed certificate in X.509 format" selected? (I know, you've probably confirmed this already, but with the recent app portal update, something might have changed under the hood...) Second - can you confirm that your app endpoint hangs off the 'www' subdomain? For example: https://www.spriton.com/path/to/alexa/app The reason I ask is that your SSL cert is not a wildcard and so if you're serving from a different subdomain it will probably fail to handshake correctly. Cheers, James
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Neal Sorensen avatar image
Neal Sorensen answered
When I choose the 'Self-signed cert' option and provide my cert, it works fine. I only get the error when I choose the 'trusted CA' option. My app endpoint is https://spriton.com/echo/bible and https://www.spriton.com/echo/bible also works, so those are valid for the cert. I don't use any other subdomains on there. I don't think the echo service is following the CA chain properly.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Anil avatar image
Anil answered
Hi Neal, I'm not an expert on SSL chains, but it looks like your chain, although correct, could be improved. I understand that in the case where multiple chains are possible the best possible chain should be used. StartCom has both a SHA1withRSA and a better SHA256withRSA cert. The latter is the stronger one, however your certificate chain includes the former. You could try removing the last certificate from the chain you serve up (since you shouldn't need to include the root CA cert) and see if that improves things. Have a look at the paths: https://www.ssllabs.com/ssltest/analyze.html?d=spriton.com Cheers, Anil
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Neal Sorensen avatar image
Neal Sorensen answered
I removed the last cert from my chain and got an A SSL rating and it still didn't work. I switched over to cloud-flare and tried the wild-card cert option and I still get the same error. I wonder how often the echo service updates its DNS cache.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Anil avatar image
Anil answered
I was having SNI issues with my setup originally so tried switching to Cloudflare. Since Cloudflare issues a non-wildcard certificate but requires SNI I don't think it will work - at least it didn't work for me.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Nick Gardner avatar image
Nick Gardner answered
Hi Neal, Are you still having this issue? Thanks, Nick
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.