question

Anil asked May 7, '15

SSL Certificate issues

Anyone have tips on resolving https issues? My app was working fine using a wildcard certificate. I switched to a Comodo non-wildcard certificate, but now I get an error when making requests from Echo: SSL handshake failed The SSL handshake to endpoint Resource [ https://www.wakecomputer.com/compliment], Type [HTTP] failed. Please check that your java keystore is correctly configured I checked the SSL cert against a number of different online SSL checkers, none of them saw any problems. My cert does have two domains on it ( www.wakecomputer.com, and wakecomputer.com, the latter was automatically included when I requested the cert). I tried switching to Cloudflare in hopes that that would resolve my problem. It didn't. With Cloudflare on, I now get this error from Amazon: Hostname verification failed The DNS entries in the certificate presented do not match the target endpoint Resource [ https://www.wakecomputer.com/myendpoint], Type [HTTP] Perhaps it's my lack of experience with SSL configuration, or perhaps there are some nuances that I don't understand imposed by Echo. Anyone with ideas? Thanks! Anil

alexa skills kit

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Anil answered May 7, '15

I've removed Cloudflare, the certificate still looks fine, the root fingerprint is in the Mozilla whitelist. Here's the SSL report: https://www.ssllabs.com/ssltest/analyze.html?d=www.wakecomputer.com&s=23.22.6.115 Apart from "Contains anchor", which is really a informational note than anything else, I don't see any reason why Echo reports that the handshake isn't working.

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Stefan Negritoiu answered May 7, '15

I also wasted a bunch of time troubleshooting HTTPS cert issues. The only thing I see in your configuration that might be causing problems is "This site works only in browsers with SNI support.". Someone from Alexa should confirm that their HTTPS client that calls apps supports SNI (where multiple SSL websites are are served from the same IP address). If they do then it's a different problem.

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

James Chivers answered May 8, '15

Hey Anil - if this is a wildcard certificate, then the CN (Common Name) must be set to: *. wakecomputer.com Right now, it looks like it's set to: www.wakecomputer.com You can address this by revoking the SSL cert, and regenerating your CSR once more. This process is typically free, so just repeat the steps you took and redeploy the cert. Let me know how it goes.

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Anil answered May 8, '15

Thanks freebusy, James. Yeah, I can't believe how much time I'm wasting on this SSL issue. Thanks for the info on SNI freebusy. If your suspicion is right, then it means I can't use OpenShift which is a huge pain since I already have my app there. It would also explain why CloudFlare didn't work. James, no the certificate I installed should not be a wildcard. I was using a wildcard perviously, and it worked fine, but since that's not allowed to get app approval I switched to a non-wildcard cert.

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

James Chivers answered May 8, '15

Ah, yeah - sorry just re-read your original post and you do say you swapped it out with a non-wildcard cert. I'm running on my app on Google App Engine and was getting SSL handshake errors with both cert types - even though the CA was in the required Mozilla CA cert list, I'm serving the full chain (e.g. root + intermediate + server), etc. In the end, I installed the cert under nginx on a VPS and configured it to reverse proxy requests back out to App Engine (although this is hacky and a giant single point of failure, I know). This could be a temporary solution for you if moving off OpenHost is going to be a headache. freebusy might be onto something - App Engine uses SNI - so maybe the Alexa platform cannot work with it? Amazon - can you confirm whether your client works with SNI ( http://en.wikipedia.org/wiki/Server_Name_Indication) please?

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

rgr@amazon answered May 15, '15

We’ve heard from a number of developers who want support for SNI. We take these requests seriously and are actively working on analyzing support for this feature.

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Anil answered May 16, '15

Thanks for the udpate rgr. It would be great to update the development documentation to state that SNI is not currently supported. It wouldn't have been a big deal for me, had I know it wasn't supported!

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Jamie Wilson answered Jul 9, '15

Lack of support for SNI should be made clear. I wasted about 3 hours trying to troubleshoot a problem that is due to Alexa's lack of support for SNI.

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.